From: Harry Shapiro <habs@Panix.Com>
Date: Tue, 18 May 93 05:53:40 PDT
To: cypherpunks@toad.com (Good Guys)
Subject: This is "telling"
Message-ID: <199305181253.AA10326@sun.Panix.Com>
MIME-Version: 1.0
Content-Type: text/plain



The answer to this question is "telling." Escrow or no encryption!!!

/harry

 From: jim@RSA.COM (Jim Bidzos)

	FYI. NIST has responded to my questions. Feel free to distribute.

There are a number of companies that employ non-escrowed cryptography
in their products today.  These products range from secure voice,
data, and fax to secure email, electronic forms, and software
distribution, to name but a few.  With over a million such products in
use today, what does the Clipper program envision for the future of
these products and the many corporations and individuals that have
invested in and use them?  Will the investment made by the vendors in
encryption-enhanced products be protected? If so, how?  Is it
envisioned that they will add escrow features to their products or be
asked to employ Clipper?  

>>>> NIST:        Again, the Clipper Chip is a government standard which can
                  be used voluntarily by those in the private sector.  We also
                  point out that the President's directive on "Public
                  Encryption Management" stated: "In making this decision, I
                  do not intend to prevent the private sector from developing,
                  or the government from approving, other microcircuits or
                  algorithms that are equally effective in assuring both
                  privacy and a secure key-escrow system."  You will have to
                  consult directly with private firms as to whether they will
                  add escrow features to their products.

Since Clipper, as currently defined, cannot be implemented in
software, what options are available to those who can benefit from
cryptography in software? Was a study of the impact on these vendors
or of the potential cost to the software industry conducted?  (Much of
the use of cryptography by software companies, particularly those in
the entertainment industry, is for the protection of their
intellectual property.)


>>>> NIST:        You are correct that, currently, Clipper Chip functionality
                  can only be implemented in hardware.  We are not aware of a
                  solution to allow lawfully authorized government access when
                  the key escrow features and encryption algorithm are
                  implemented in software.  We would welcome the participation
                  of the software industry in a cooperative effort to meet
                  this technical challenge.  Existing software encryption use
                  can, of course, continue.  

Banking and finance (as well as general commerce) are truly global
today. Most European financial institutions use technology described
in standards such as ISO 9796.  Many innovative new financial
products and services will employ the reversible cryptography
described in these standards.  Clipper does not comply with these
standards. Will US financial institutions be able to export Clipper?
If so, will their overseas customers find Clipper acceptable?  Was a
study of the potential impact of Clipper on US competitiveness
conducted? If so, is it available? If not, why not?

>>>> NIST:        Consistent with current export regulations applied to the
                  export of the DES, we expect U.S. financial institutions
                  will be able to export the Clipper Chip on a case by case
                  basis for their use.  It is probably too early to ascertain
                  how desirable their overseas customers will find the Clipper
                  Chip.  No formal study of the impact of the Clipper Chip has
                  been conducted since it was, until recently, a classified
                  technology; however, we are well aware of the threats from
                  economic espionage from foreign firms and governments and we
                  are making the Clipper Chip available to provide excellent
                  protection against these threats.  As noted below, we would
                  be interested in such input from potential users and others
                  affected by the announcement.  Use of other encryption
                  techniques and standards, including ISO 9796 and the ISO
                  8730 series, by non-U.S. Government entities (such as
                  European financial institutions) is expected to continue.

I realize they are probably still trying to assess the impact of
Clipper, but it would be interesting to hear from some major US
financial institutions on this issue.

>>>> NIST:        We too would be interested in hearing any reaction from
                  these institutions, particularly if such input can be
                  received by the end of May, to be used in the
                  Presidentially-directed review of government cryptographic
                  policy.

Did the administration ask these questions (and get acceptable
answers) before supporting this program? If so, can they share the
answers with us? If not, can we seek answers before the program is
launched?  

>>>> NIST:        These and many, many others were discussed during the
                  development of the Clipper Chip key escrow technology and
                  the decisions-making process.  The decisions reflect those
                  discussions and offer a balance among the various needs of
                  corporations and citizens for improved security and privacy
                  and of the law enforcement community for continued legal
                  access to the communications of criminals.








-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991