On Thu, 2001-10-18 at 17:50, Benjamin, Dan wrote: > I have been tasked with finding and implementing solutions to provide > payroll vendors/401k vendors and health care providers with methods our > company can use to transmit encrypted files via Website (IIS), FTP, and > E-mail (Exchange). We are a total MS shop. I thought of looking to Verisign > for Website encryption, PGP possibly for e-mail, and don't have a thought on > FTP other than encrypting a zip file. We don't have anonymous login > available on FTP. Could I get some thoughts on Verisign and PGP and options > of FTP methods.
PGP is very useful. I agree that it makes sense for email. However, it can also be used for general purpose file encryption (and you'll find it much more robust than zip). I've worked on several projects that involved financial or employee data transfer outside of the information owner's network. In these cases, we used PGP to encrypt the data before transfer (usually via an automated process). This provides a few interesting advantages. First, it provides some additional protection for that data on the external company's network. Until that data is used, it exists in the encrypted form. This makes it a little harder to compromise that data immediately as it hits the external network. Granted, this makes some assumptions on the external party's key management (assuming compromising that key is not too easy). And once the data is pulled out of the file to be used - then the file's encryption is no longer an issue. So its a minor point, but still a nice plus. The main advantage is that you now have a lot more possibilities in transport protocols. We were often using FTP - sending the file to the external host, or pulling it through our internal corporate firewall from an external anonymous FTP drop point. Obviously, we're protecting the data in transit. But it also enables the use anonymous ftp drop points (with disabled directory browsing) in special cases (this method solves some problems with access and depends on the sensitivity of the data). Even if one is able to figure out WHERE the file is, one will still need the pgp private key to make use of that file. -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE