1996-05-31 - Re: NRC Cryptography Report: The Text of the Recommendations

Header Data

From: Moltar Ramone <jlasser@rwd.goucher.edu>
To: Hal <hfinney@shell.portal.com>
Message Hash: 3bedf55df876292ae17fd6ea5225391ebac56b4a77dc49b98f372e5a5b242e4f
Message ID: <Pine.SUN.3.91.960531080225.28351A-100000@rwd.goucher.edu>
Reply To: <199605302304.QAA14424@jobe.shell.portal.com>
UTC Datetime: 1996-05-31 19:45:34 UTC
Raw Date: Sat, 1 Jun 1996 03:45:34 +0800

Raw message

From: Moltar Ramone <jlasser@rwd.goucher.edu>
Date: Sat, 1 Jun 1996 03:45:34 +0800
To: Hal <hfinney@shell.portal.com>
Subject: Re: NRC Cryptography Report: The Text of the Recommendations
In-Reply-To: <199605302304.QAA14424@jobe.shell.portal.com>
Message-ID: <Pine.SUN.3.91.960531080225.28351A-100000@rwd.goucher.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 30 May 1996, Hal wrote:

> Second, although they go to some lengths to emphasize the importance of
> an open, unclassified process, and that the report itself is completely
> unclassified, there are some curios omissions.  For example,
> recommendation 4.1 is that 56-bit DES encryption should be exportable.
> However, they follow that by saying, "Products covered under
> Recommendation 4.1 must be designed in a way that would preclude their
> repeated use to increase confidentiality beyond the acceptable level."

That is a modest misreading of the statement -- what it says is a sort of 
"generally available" requirement that the committee did a _BIG_ job of 
trying to soft-pedal at the conference.  Especially when PGP was 
mentioned, they said "well, it's not _really_ a 'generally available' 
recommendation."  But it _is_.  One Cypherpunk at the meeting suggested 
to me that they knew if PGP was mentioned, heads would roll, and this 
might be a quiet way of sneaking that in.

> I also think it is sneaky that they bury this limitation in text which
> will not be seen by people who read only the recommendations.

Yep, but OTOH, how much can they fit into a decent blurb anyways, which 
is all the actual recommendation text is? 

> Overall, I am disappointed that the report seems to adopt so much of the
> point of view of those forces which will oppose the use of cryptography.
> At best it seems to be a recognition that change is inevitable, and that
> the most that can be hoped for is to ease the transition to a world where
> people have free access to privacy tools.  But in the meantime it appears
> designed to delay the transition rather than advance it.

Which is as good as we could hope for from a government-sponsored report, 
whose team was required to include members of the intelligence community, 
and which those members know will be looked at seriously by congress.

While on the one hand I'm disappointed, OTOH it was much better than I 
expected it to be.  While it is essentially a "status quo" sort of 
report, it still allows us to deploy strong crypto now.

What I was most disappointed with was that (as far as I've found so far 
-- I've not slogged my way through the entire 500+ page report quite yet) 
CAPIs are totally ignored (although described in an appendix, I haven't 
yet been able to find any reference with regards to exporting them) 
thus leaving the "crypto in the hole" issue up in the air...

----------
Jon Lasser (410)532-7138                         - Obscenity  is a crutch  for
jlasser@rwd.goucher.edu                            inarticulate motherfuckers.
http://www.goucher.edu/~jlasser/
Finger for PGP key (1024/EC001E4D)               - Fuck the CDA.






Thread