From: Harry Shapiro <habs@Panix.Com>
To: cypherpunks@toad.com (Good Guys)
Message Hash: a23af2cde8aadcb97397ca9b0fb710d3558b8a829c5dc32cdd011f223b11891a
Message ID: <199305181253.AA10326@sun.Panix.Com>
Reply To: N/A
UTC Datetime: 1993-05-18 12:53:40 UTC
Raw Date: Tue, 18 May 93 05:53:40 PDT
From: Harry Shapiro <habs@Panix.Com>
Date: Tue, 18 May 93 05:53:40 PDT
To: cypherpunks@toad.com (Good Guys)
Subject: This is "telling"
Message-ID: <199305181253.AA10326@sun.Panix.Com>
MIME-Version: 1.0
Content-Type: text/plain
The answer to this question is "telling." Escrow or no encryption!!!
/harry
From: jim@RSA.COM (Jim Bidzos)
FYI. NIST has responded to my questions. Feel free to distribute.
There are a number of companies that employ non-escrowed cryptography
in their products today. These products range from secure voice,
data, and fax to secure email, electronic forms, and software
distribution, to name but a few. With over a million such products in
use today, what does the Clipper program envision for the future of
these products and the many corporations and individuals that have
invested in and use them? Will the investment made by the vendors in
encryption-enhanced products be protected? If so, how? Is it
envisioned that they will add escrow features to their products or be
asked to employ Clipper?
>>>> NIST: Again, the Clipper Chip is a government standard which can
be used voluntarily by those in the private sector. We also
point out that the President's directive on "Public
Encryption Management" stated: "In making this decision, I
do not intend to prevent the private sector from developing,
or the government from approving, other microcircuits or
algorithms that are equally effective in assuring both
privacy and a secure key-escrow system." You will have to
consult directly with private firms as to whether they will
add escrow features to their products.
Since Clipper, as currently defined, cannot be implemented in
software, what options are available to those who can benefit from
cryptography in software? Was a study of the impact on these vendors
or of the potential cost to the software industry conducted? (Much of
the use of cryptography by software companies, particularly those in
the entertainment industry, is for the protection of their
intellectual property.)
>>>> NIST: You are correct that, currently, Clipper Chip functionality
can only be implemented in hardware. We are not aware of a
solution to allow lawfully authorized government access when
the key escrow features and encryption algorithm are
implemented in software. We would welcome the participation
of the software industry in a cooperative effort to meet
this technical challenge. Existing software encryption use
can, of course, continue.
Banking and finance (as well as general commerce) are truly global
today. Most European financial institutions use technology described
in standards such as ISO 9796. Many innovative new financial
products and services will employ the reversible cryptography
described in these standards. Clipper does not comply with these
standards. Will US financial institutions be able to export Clipper?
If so, will their overseas customers find Clipper acceptable? Was a
study of the potential impact of Clipper on US competitiveness
conducted? If so, is it available? If not, why not?
>>>> NIST: Consistent with current export regulations applied to the
export of the DES, we expect U.S. financial institutions
will be able to export the Clipper Chip on a case by case
basis for their use. It is probably too early to ascertain
how desirable their overseas customers will find the Clipper
Chip. No formal study of the impact of the Clipper Chip has
been conducted since it was, until recently, a classified
technology; however, we are well aware of the threats from
economic espionage from foreign firms and governments and we
are making the Clipper Chip available to provide excellent
protection against these threats. As noted below, we would
be interested in such input from potential users and others
affected by the announcement. Use of other encryption
techniques and standards, including ISO 9796 and the ISO
8730 series, by non-U.S. Government entities (such as
European financial institutions) is expected to continue.
I realize they are probably still trying to assess the impact of
Clipper, but it would be interesting to hear from some major US
financial institutions on this issue.
>>>> NIST: We too would be interested in hearing any reaction from
these institutions, particularly if such input can be
received by the end of May, to be used in the
Presidentially-directed review of government cryptographic
policy.
Did the administration ask these questions (and get acceptable
answers) before supporting this program? If so, can they share the
answers with us? If not, can we seek answers before the program is
launched?
>>>> NIST: These and many, many others were discussed during the
development of the Clipper Chip key escrow technology and
the decisions-making process. The decisions reflect those
discussions and offer a balance among the various needs of
corporations and citizens for improved security and privacy
and of the law enforcement community for continued legal
access to the communications of criminals.
--
Harry Shapiro habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991
Return to May 1993
Return to “Harry Shapiro <habs@Panix.Com>”
1993-05-18 (Tue, 18 May 93 05:53:40 PDT) - This is “telling” - Harry Shapiro <habs@Panix.Com>