1996-01-22 - Re: Espionage-enabled Lotus notes.

Header Data

From: “Paul M. Cardon” <pmarc@fnbc.com>
To: “Richard Martin” <rmartin@aw.sgi.com>
Message Hash: 4ecc3d80f7da9e2a900e84ef25f90ac6be0a6f2c852a43d4423b98d46035ba7c
Message ID: <199601212208.QAA00308@abernathy.fnbc.com>
Reply To: <9601181638.AA01736@zorch.w3.org>
UTC Datetime: 1996-01-22 01:10:06 UTC
Raw Date: Mon, 22 Jan 1996 09:10:06 +0800

Raw message

From: "Paul M. Cardon" <pmarc@fnbc.com>
Date: Mon, 22 Jan 1996 09:10:06 +0800
To: "Richard Martin" <rmartin@aw.sgi.com>
Subject: Re: Espionage-enabled Lotus notes.
In-Reply-To: <9601181638.AA01736@zorch.w3.org>
Message-ID: <199601212208.QAA00308@abernathy.fnbc.com>
MIME-Version: 1.0
Content-Type: text/plain

An individual almost but not quite entirely unlike Richard Martin wrote:
> They've forced a major company (they don't come much more major
> than IBM) to ship a product which actually helps them in both
> aspects of their mandate. Communications interception of foreign
> industries' groupware is now easier for the U.S. than for any other
> country, while (and this must be granted) the communications
> security of American industries will be somewhat improved by this
> move.

But how does this affect the use of Notes for US companies with  
foreign offices?  If foreign offices are required to use the "export  
version" (which IS supposedly interoperable with the domestic  
version), then Notes use between a foreign office and US office will  
have a 40 bit key as far as the government is concerned.  This  
assumption may be incorrect, but until I know what the effective key  
size is as seen by the government when the export and domestic  
versions communicate, I have to assume that the export version will  
have to dominate the effective key length.  In other words, the  
domestic version will be able to handle and generate keys with the  
24 government accesible bits, but naturally, keys generated by the  
domestic version will not be usable by the export version.

Are US businesses willing to swallow this when the use is purely  
internal to the company?  Does the national security argument hold  
up in this situation?

This really does so little to improve the security situation that I  
can see why Mr. Ozzie is not comfortable with this compromise as  
anything but a short-term solution.  I hope his statement is  
sincere.  I'm asking a lot of questions at this point because my own  
opinions are not fully formed on all of the relevant issues.

Paul M. Cardon
System Officer - Capital Markets Systems
First Chicago NBD Corporation (for whom I do not opine)

MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e