> * even though you sent them the pass phrase That is the key thing. With host-proof hosting, you never send the pass phrase to the hosting server. Your pass phrase remains on your client computer.
Maybe Ms. Kelly (whom I have copied on this email) can elaborate more on the topic of host-proof hosting pattern. Her company (www.passpack.com) has successfully implemented this pattern. On 3/20/08, Crispin Cowan <[EMAIL PROTECTED]> wrote: > Ali, Saqib wrote: > > Wells Fargo to Personal Online Safe for storing electronic copies of > > important materials, such as financial statements, loan and tax > > documents, wills, passports, and birth, marriage and death > > certificates: > > https://www.wellsfargo.com/press/2008/20080319_Online_Safe > > > > Ok, that sounds like a bad idea. > > > > Note: The only way I will feel safe about this service is that Wells > > Fargo uses Host-Proof Hosting patterns[1], and PROVE (i.e. get > > certified) that host-proof hosting pattern is implemented properly and > > securely. Until then I will store these documents on a encrypted drive > > that I have control over. > > > > 1. http://en.wikipedia.org/wiki/Host-proof_hosting > > > > This *also* sounds like a really bad idea. You trust the host to: > > * not persist the clear text data > * not persist the passphrase > * not persist the decryption key > * even though you sent them the pass phrase > > Never mind that lots of web sites have been caught trousers down > retaining the extra 3-digit security codes from credit cards, never mind > that they aren't supposed to retain that either. > > Crispin _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
