[11345] in cryptography@c2.net mail archive
Re: An authentication question
daemon@ATHENA.MIT.EDU (bear)
Tue Aug 6 10:53:58 2002
Date: Tue, 6 Aug 2002 07:47:06 -0700 (PDT)
From: bear <bear@sonic.net>
To: Adam Fields <fields@surgam.net>
Cc: cryptography@wasabisystems.com
In-Reply-To: <20020805201230.GD1819@rubicon.surgam.net>
On Mon, 5 Aug 2002, Adam Fields wrote:
>If you were going to open up an interface to allow known parties to
>upload files to you via web form submission, would you want to 1)
>distribute passwords to them and let them sign in to a page where they
>could upload the files over SSL, or 2) allow anyone to upload files
>and require that authorized parties sign (and/or encrypt) the files
>before uploading them, rejecting any that weren't signed with a valid
>key?
>
>Are these two scenarios equivalent from a security standpoint?
>
>
>--
> - Adam
No. The "signin" form makes you a little more resistant to DOS attacks
based on sucking up all your bandwidth. Allowing anyone to upload files
makes you a little more resistant to some kinds of "web tracking" that
anyone may be doing on your correspondents. You just have to decide what
you're most paranoid about.
In both cases, the files are encrypted over the pipe, so you needn't
worry too much about eavesdroppers on the file content.
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
