[ic] (was) Dumb security question

vic vic@anabolic.com
Fri, 30 Mar 2001 17:45:21 -0800


While cfm makes an interesting point (know your operating system), one
alternate way to provide for this type of email confirmation functionality
is to simply email them a LINK to the information and have that information
be accessible only via https login or restrict access to the link by IP# in.
I believe Akopia has a similar function, but I stopped trying to really use
the remote admin features of minivend a long time ago.

Using this approach you do not have the burden of having to you have your
rep understand pgp, encryption or anything else, he can just be a sales guy.
Also, this gives the chance to build information dynamically on the
strengths of minivend (in my case, I can generate the information
dynamically on an as-need basis) and I don't have to worry about invoicing
information going out across the wire.  The additional benefit is, a sales
rep would be hard pressed to say they didn't get the information and you can
use that same link to convey other timely information (to your sales team,
intranet advertising so to say).

Also, technically, we should all be paying for commercial licenses of pgp if
we use it in a commerical endeavor, so there is a slight barrier to using
the pgp approach (legitimately), especially in a economically scalable
solution.  However, with the wonders of web magic and https, we can define
strict access requirements using certs (even if they're just self signed for
internal use).

Vic

Find out today how secure you are at  www.hackerwhacker.com