From: Michael Froomkin <froomkin@law.miami.edu>
Date: Sun, 21 Jan 1996 00:42:10 +0800
To: cypherpunks <cypherpunks@toad.com>
Subject: DES in real life
Message-ID: <Pine.SUN.3.91.960120111743.16171F-100000@viper.law.miami.edu>
MIME-Version: 1.0
Content-Type: text/plain


Recognizing that DES is not the best thing out there, but that it is
better than RC40 and life is a series of cost/benefit tradeoffs and that
there is a large installed base to interoperate with, I'd like your
opinions on the following: 

1) Suppose you are approached by a corporate client who believes that they
can get export permission for DES (but nothing stronger, i.e. no 3DES). 
What kind of real-world, non-banking, applications is DES just too weak
for today?  In answering keep in mind that most US corporate clients are
not too worried about the US government reading their email.  Some do
worry about foreign governments and many worry about competitors. [I've 
limited this to "non-banking" because banks seem to be gearing up for 3DES.]

2) How long before DES becomes generally unsuitable for (A) corporate 
(B) personal use [please keep the threat model on which this question is 
based in mind -- threats *other than* the US government wiretapping you]?

3) Do you have a view as to whether DES (A) will and (B) should be 
recertified next time the issue arises?

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | 
U. Miami School of Law     | froomkin@law.miami.edu
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.