I'm wondering whether role-based credentials, vs. individual user credentials, might not make more sense here. Could the database owner key be issued to a role vs. an individual identity? In this way, your human users could be associated with a role that has a right to issue a query to the database via the middleware, but only the middleware would be associated with the role that had access to the key that could decrypt the data that satisfies the user's query. This does not, however, solve the problem of ensuring that the data remain secure once they are decrypted. You don't mention the assurance level of the encryption used in the database - i.e., does it exceed the strength of SSL or TLS with encryption based on AES and Class 3 X.509 certificates?
Some interesting work doing on at INRIA in France that may be relevant: www-smis.inria.fr/Etheme_2._Data_confidentiality.html Also, some combination of the capabilities provided by nCipher may be of interest: www. ncipher.com -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED]