[thelist] security on the server

Peter Kaulback pkaulbak at idirect.ca
Thu Jul 12 13:56:19 CDT 2001


In the wee hour of 10:45 PM 7/11/01 -0400, Warden, Matt bequeathed such 
tales as these:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> > From: "Peter Kaulback" <pkaulbak at idirect.ca>
> > Subject: [thelist] security on the server
> >
>
> > I have a client who wishes to have documents made available to
> > their  clientele for download from their server.  These are
> > confidential documents  to be opened only by their respective
> > owners.  We had originally thought of  PDF's as the format with
> > it's 128 bit security but now with the problems  associated with it
> > cropping up we are seeking alternatives.  Simplicity is  the rule
> > for the client and their clientele as they want to handle the
> > transfer to their server and would prefer a one or two step
> > operation.  Would multiple secure directories be the answer for all
> > the  unique entities in their clientele, this implementation is new
> > to me.  Any  ideas would be so graciously appreciated.

Hi Matt, thanks for your input.

>- From your description, it was unclear to me if you are just asking
>about encryption of the file itself or the transfer of that file over
>http/SSL.

Actually, it's both the encryption and the transfer.  The files will be 
very small, word documents converted to pdf, so their time in transit will 
me minimal.  Is the pdf security model very secure and is there other 
methods more secure?

>If you're talking about the transfer, this is what I propose:
>
>(a) store the PDFs below the site's root, so that it is inaccessible
>by typing in a URL.
>(b) write a script and store it above the site's root. The user will
>login and visit this page. The script will look up in the database
>all the files owned by the logged-in user and list them for the user
>to select. The script, after the user has clicked on a filename, will
>then grab the file from the filesystem and feed it to the browser,
>making sure to set the correct Content-Type header for the file.
>
>Is this the kind of thing you're looking for? If so, feel free to
>fire some questions my way, as I've done this sort of thing quite a
>few times in the past.

This is the kind of thing I'm looking for exactly as well. How difficult is 
such an operation from the users standpoint and for the designer/developer?

Peter Kaulback





More information about the thelist mailing list