1993-09-14 - CSSPAB Questions Clipper

Header Data

From: Dave Banisar <banisar@washofc.cpsr.org>
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Message Hash: c02c7f144b61d3c8ddf80451c8674f540fbeaca58dd6698cce9a4430335f0842
Message ID: <00541.2830855938.5353@washofc.cpsr.org>
Reply To: N/A
UTC Datetime: 1993-09-14 17:05:18 UTC
Raw Date: Tue, 14 Sep 93 10:05:18 PDT

Raw message

From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Tue, 14 Sep 93 10:05:18 PDT
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Subject: CSSPAB Questions Clipper
Message-ID: <00541.2830855938.5353@washofc.cpsr.org>
MIME-Version: 1.0
Content-Type: text/plain


  CSSPAB Questions Clipper
Govt. Panel Questions Clipper Chip Proposal

By David Banisar, The Privacy Times


	After two days of sometimes tumultuous hearings, a government advisory
board chartered to advise the administration and Congress on computer
security and privacy issued two resolutions questioning many of the aspects
of the Clinton Administration's controversial new encryption scheme, the
Clipper Chip. The National Institute for Standards and Technology's Computer
System Security and Privacy Advisory Board (CSSPAB) expressed continued
concern over many aspects of the proposal including the lack of a convincing
statement expressing the problems that the Clipper is supposed to solve, the
need to look for possible alternatives to the proposal,  the legal,
economic, export controls issues, and software implementation of the
proposal. In addition, the board also expressed concern  that the Clipper
proposal could negatively impact the availability of cost-effective security
products to the US government and industry and that it may not be marketable
or usable worldwide.

	In a second resolution, the board unanimously called for a public debate of
the proposal and recommended that Congress take an active role in
determining US cryptography policy. It also recommended that  any new policy
must address the interests of law enforcement and intelligence, US industry
and citizens' privacy and security in the US and worldwide.

	At the hearings, Geoff Greiveldinger from the Department of Justice
reported that the key escrow agents will be announced within a few weeks
after briefing members of  Congress. Sources inside the administration
indicate that the administration may have decided to eliminate from
consideration outside organizations holding the keys and are leaning towards
the Department of the Treasury as one of the key holders.

	Doug Miller of the Software Publishers Association (SPA) also presented the
latest survey of foreign software with cryptography finding that over 200
products from over 20 countries were available from overseas companies
including many that use DES. He expressed concern that the Clipper chip
would harm the US software industry while not providing any benefits to the
intelligence community, since cryptography was available worldwide. He
indicated that they were seeking a legislative solution to the issue. Last
year, a renewal of the Export Administration Act t, which removed
restrictions on off-the-shelf software with encryption,  was vetoed by
President Bush.

	NIST Deputy Director Ray Kammer announced that the Data Encryption Standard
(DES) will be recertified for government, non-classified use for another
five years. The paperwork has been sent to Secretary of Commerce Ron Brown,
who is expected to sign it within two weeks.

	The Clipper proposal was introduced April 16, 1993 and has been strongly
opposed by both civil liberties groups and industry. The proposal calls for
use of a secret encryption chip designed by the National Security Agency for
non-classified voice and data transmission. The keys for the chip would be
split and held in escrow by two government agencies. NIST has submitted the
Clipper proposal for public comment. The FIPS was published in the Federal
Register at Volume 58, page 40791 (July 30, 1993) and is also available in
electronic form from the CPSR Internet Library FTP/WAIS/Gopher cpsr.org
/cpsr/crypto/clipper/call-for-comments.  Comments are due to NIST by
September 28, 1993 to the  Director, Computer Systems Laboratory, ATTN:
Proposed FIPS for Escrowed Encryption Standard, Technology Building, room
B-154, National Institute of Standards and Technology, Gaithersburg, MD
20899. 

	CPSR has created an archive of comments on the proposal and has asked
people to electronically submit a copy of their comments to
clipper@washofc.cpsr.org.


--------------------------------

NON-CERTIFIED TEXT


        COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD

                           		RESOLUTION 93-5

				SEPTEMBER 1-2, 1993

Subsequent to the June 2-4, 1993 meeting of the CSSPAB, the Board has held
an addition 4 days of public hearings and has collected additional public
input.

The clear message is that the preliminary concerns stated in Resolution 1 of
that date have been confirmed as serious concerns which need to be resolved.

Public input has heightened the concerns of the Board to the following
issues:

	- A convincing statement of the problem that Clipper attempts to solve has
not been provided.

	- Export and import controls over cryptographic products must be reviewed.
Based upon data compiled from US and international vendors, current controls
are negatively impacting US competitiveness in the world market and are not
inhibiting the foreign production and use of cryptography (DES and RSA).

	- The Clipper/Capstone proposal does not address the needs of the software
industry, which is critical and significant component of the National
Information Infrastructure and the US economy.

	- Additional DES encryption alternatives and key management alternatives
should be considered since there is a significant installed base.

	- The individuals reviewing the Skipjack algorithm and key management
system must be given an appropriate time period and environment in which to
perform a thorough review. This review must address the escrow protocol and
chip implementation as well as the algorithm itself.

	- Sufficient information must be provided on the proposed key escrow scheme
to allow it to be fully understood by the general public.

	- Further development and consideration of alternatives to the key escrow
scheme need to be considered, e.g., three "escrow" entities, one of which is
a non-government agency, and a software based solution.

	- The economic implications for the Clipper/Capstone proposal have not been
examined. These costs go beyond the vendor cost of the chip and include such
factors as customer installation, maintenance, administration, chip
replacement, integration and interfacing, government escrow system costs,
etc.

	- Legal issues raised by the proposal must be reviewed.

	- Congress, as well as the administration, should play a role in the
conduct and approval of the results of the review.

Moreover, the following are additional concerns of the Board.

	- Implementation of the Clipper initiative may negatively impact the
availability of cost-effective security products to the US government and
the private sector;

	and

	- Clipper products may not be marketable or usable worldwide.



FOR: Castro, Gangemi, Lambert, Lipner, Kuyers, Philcox, Rand, Walker,
Whitehurst, and Zeitler.

AGAINST: none

ABSTAIN Gallagher [NSA]

ABSENT: Colvin


-----------------------------------------------------------------


NON-CERTIFIED TEXT


	COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD

				RESOLUTION 93-6

				SEPTEMBER 1-2, 1993

The Board believes that in deciding cryptographic policies and standards in
the US, there is a compelling need to consider and evaluate the concerns
listed below. We, therefore, endorse the process being pursued by the
administration in the form of an interagency review but believe the scope of
that review needs to include adequate industry input. We reaffirm our
recommendations (of March 1992) that the issues surrounding this policy be
debated in a public forum. In view of the worldwide significance of these
issues the Board believes that the Congress of the U.S. must be involved in
the establishment of cryptographic policy.

The board, furthermore, believes that there are a number of issues that must
be resolved before any new or additional cryptographic solution is approved
as a US government standard:

	1. The protection of law enforcement and national security interests.

	2. The protection of U.S. computer and telecommunications interests in the
international marketplace.

	3. The protection of U.S. person's interests both domestically and
internationally.




FOR: Castro, Gallagher, Gangemi, Lambert, Lipner, Kuyers, Philcox, Rand,
Walker, Whitehurst, and Zeitler.

AGAINST: none

ABSTAIN: none

ABSENT: Colvin







Thread