I need a client-server encryption solution for web transfer, (i.e. signed and encrypted client-side, and verified and decrypted server-side).
I am using HTTP, but SSL is not available due to shared hosting restrictions (my server is a shared host environment). Looking into alternative solutions, I have decided on OpenPGP using GnuPG. One of the reasons is that it is supported in PHP through various PEAR and PECL modules (PHP is the language I intend to use for both my client script and my server script, though Perl is also available as a last resort).
I am now trying to decide on the best way to transmit the data. I have come across RFC 1847, which defines encrypted and signed multipart MIME messages. This protocol is extended specifically for PGP in RFC 3156. (I think these protocols are related to the S/MIME encrypted email protocol).
My question is: is there any reason to follow these standards? As far as protocols go, they look like sensible solutions, but are there any clients that actually use this protocol? For example, if I made a multipart/encrypted request to an Apache web server, will there be any easy way to retrieve the data? My tests using a PHP script made me think that PHP would be no use trying to decipher requests like these ($_POST data seems to come from 'multipart/form-data' MIME-type data).
As my host will let me open sockets, it would be possible for me to use PHP's socket programming API to write a PHP script to act as a server that will accept 'multipart/encrypted' and 'multipart/signed' HTTP requests, but this seems like overkill.
Any suggestions?
For more information on my problem, please see this question.