1995-09-11 - GAK Advisory Board 94

Header Data

From: nobody@REPLAY.COM (Anonymous)
To: cypherpunks@toad.com
Message Hash: 0da6d452cf5efffa3b9be0ee17723de38b1782c7d497d0de8c314dc4691c3fd3
Message ID: <199509110600.IAA03045@utopia.hacktic.nl>
Reply To: N/A
UTC Datetime: 1995-09-11 06:00:20 UTC
Raw Date: Sun, 10 Sep 95 23:00:20 PDT

Raw message

From: nobody@REPLAY.COM (Anonymous)
Date: Sun, 10 Sep 95 23:00:20 PDT
To: cypherpunks@toad.com
Subject: GAK Advisory Board 94
Message-ID: <199509110600.IAA03045@utopia.hacktic.nl>
MIME-Version: 1.0
Content-Type: text/plain



>From URL: http://csrc.ncsl.nist.gov/csspab/94-rpt.txt


                   Executive Summary

This Annual Report documents activities of the National
Computer System Security and Privacy Advisory Board
during 1994, its sixth year.

During the year, the Board continued to review
cryptography related issues.  During 1994, the
Escrowed Encryption Standard (EES) and the Digital
Signature Standard (DSS) were approved as Federal
Information Processing Standards (FIPS 185) and (FIPS
186) respectively.  The Board heard briefings on
escrowing release procedures, escrow program procedures,
U.S. export procedures, international cryptography
proposals, international corporate key escrow,
alternative key escrow approaches, and software-based key
escrow encryption.

The Board also continued to follow activities related to
the Common Criteria (CC), which remains in draft form. 
[Comments on the CC will be reviewed and processed in
March 1995.] The Board continued to examine the
question as to whether there is a business case for
setting up a Trusted Technology Assessment Program
(TTAP).


Membership

Currently, Dr. Willis H. Ware, a senior researcher of the
Corporate Research Staff of RAND, serves as Chairman of
the Board.  He was appointed in July 1989.  As of
December 1994, the membership of the Board is as follows:

-  Chairman
   Willis H. Ware, RAND

-  Federal Members
   Charlie C. Baggett, Jr. National Security Agency
   Henry H. Philcox, Department of the Treasury, Internal
      Revenue Service
   Cynthia C. Rand, Department of Transportation
   Stephen A. Trodden, Department of Veterans Affairs

-  Non-Federal, Non-Vendor
   Genevieve M. Burns, Monsanto Corporation (Member
      Designate)
   Cris R. Castro, KPMG Peat Marwick
   Sandra Lambert, Citibank
   Randolph Sanovic, Mobil Corporation (Member Designate)

-  Non-Federal, Vendor
   Gaetano Gangemi, Wang Laboratories, Inc.
   Linda Vetter, Oracle Corporation (Member Designate)
   Stephen T. Walker, Trusted Information Systems, Inc.
   Bill Whitehurst, International Business Machines Corp.

In December of 1994, Ms. Cynthia Rand resigned from the
Board, leaving a vacancy in the federal member category.


              II. Major Issues Discussed

The work of the Board during 1994 was devoted to various
topics related to security of federal unclassified
automated information systems.  Among the most important
were:

-  Cryptographic Key Escrowing Procedures

-  Alternative Key Escrow

-  Security in the National Information Infrastructure
   (NII)

Escrowing Release/Program Procedures

The Department of Justice briefed the Board on procedures
for release of cryptographic key components, by the two
escrow agents, to government agencies.  The two escrow
agents at the National Institute of Standards and
Technology (NIST), of the Department of Commerce and the
Automated Systems Division of the Department of Treasury. 
The agents act under strict procedures to ensure the
security of the key components and which govern their
release for use in conjunction with lawful wiretaps.

NIST discussed the procedures for the key escrow program. 
Five federal agencies share a role in the key escrow
program:  (1) the Department of Justice is a sponsor and
a family key agent that holds one of the components of
the family key, (2) the Federal Bureau of Investigation
is the initial law enforcement user and a family key
agent that holds the other component of the family key,
(3) NIST has a dual role as the program manager and a key
escrow agent, (4) the Department of Treasury is a key
escrow agent; and (5) the National Security Agency
is the system developer that provides technical
assistance.


Alternative Key Escrow

Bankers Trust presented some rationales for key escrow
encryption for corporations, which fulfills management
supervision and compliance duties, and reduces business
risks.  They maintain that the Bankers Trust system can
meet both U.S. and European needs.  Their system has been
discussed with Canada, Britain, France, Singapore, and
the U.S.; however, none of these countries have
endorsed the system.

Trusted Information Systems, Inc. gave a demonstration
and overview of their approach to software-based key
escrow encryption.  They said that software key escrow
systems could be built that meet the objectives of law
enforcement.  Also, that variations of their software key
escrow system can provide a commercial key escrow
capability that will be very appealing to corporate and
individual computer users.  They believe that widespread
use of corporate key escrow, in which corporations
operate their own key escrow centers, and individual key
escrow, in which bonded commercial key escrow centers
provide a key retrieval capability for registered users,
will better achieve the key escrow objectives of law
enforcement than a government-operated key escrow
system.


[Snip 180kb of very informative docs on the main US
cryptography issues of 1994, still alive in '95.]














Thread