hi rob,
Thanks for the input Jonas. Just one quick question however... Is there a way to put the key in the form itself. The customer will input the information in the form to be sent to the magazine. I wonder if there's a way to encrypt it automatically? Is this possible or will that compromise the security?
there are two ways where data is transmitted:1. the customer fills out the form and submits it -> data is sent to the server. you have to encrypt it via SSL to be secured.
2. you generate information that should be sent to the customer (maybe, customer id and a password, or something other). if you show this data on a webpage, everything works fine via ssl (but i don't think that it is a good idea to show a password on a website...). if the data is sent back via e-mail, you can't use SSL here, but you need something like pgp/gpg.
automatic encryption is no problem and no security hole. once the data is sent in a secure way to the server (submitting the form...), your scripts can encrypt it with the public key of the customer. this key isn't a "secret" key (why should you call it "public" then... *g*), so you can get it (1) from a key server, if the customer gives the key id, or (2) the customer enters the key directly. all versions of pgp/gpg are able to export a key to ascii - that's what you need.
after encrypting the data, nobody except the owner of the corresponding private key (your customer) can read the encrypted data.
cya, jonas.ps: just to be sure. it is NOT a good idea to encrypt the data the customer sends to the server via pgp, even not if the customer provides his public key. the only way to do this is that the customer SELF-encrypts the information. not undoable, but very shdfkgjclsdhgjtemscdvc. (think about "mark and copy the text. put it into pgp. encrypt it. mark it and copy it back to this www-form. send it. we're reading your key id out of it. we're getting your public key. we're decrypting your message.". too complicated *blargh*.
____________________________________________ Jonas Pasche Technischer Support webagentur Domke GmbH Rheinstr. 3 - 64283 Darmstadt - Germany Telefon +49 6151 17742-33 Telefax +49 6151 293173 http://www.domke.de mailto:jonas@xxxxxxxx____________________________________________