From: jim bell <jimbell@pacifier.com>
To: “Dave Banisar” <cypherpunks@toad.com>
Message Hash: e8efea5e2adf7f96ec10c499b69e48ad5f304049fba31b7127d50fddadcaf4df
Message ID: <m0u5cI0-000909C@pacifier.com>
Reply To: N/A
UTC Datetime: 1996-04-06 22:18:06 UTC
Raw Date: Sun, 7 Apr 1996 06:18:06 +0800
From: jim bell <jimbell@pacifier.com>
Date: Sun, 7 Apr 1996 06:18:06 +0800
To: "Dave Banisar" <cypherpunks@toad.com>
Subject: Re: ACM/IEEE Letter on Cryp
Message-ID: <m0u5cI0-000909C@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain
[on the Burns bill]
At 04:55 PM 4/3/96 -0500, Dave Banisar wrote:
>The draft bill which currently exists only takes the export controls on
>crpyto. The provisions on key escrow, criminal penalities and other problems
>are not in there and Burns staff have no intention of letting them in. The
>actual bill will be introduced in about 2 weeks.
>-dave
That sounds okay as far as it goes, but I can see a potential problem. Your
wording above is unclear, but if the Burns bill totally eliminates export
controls that's great. However, we've frequently heard talk of "compromises"
like the Leahy bill which seem to relate exportable encryption to that which
is already available overseas. There have been suspicions around there that
this is intended to keep the American producers out of the market as long as
possible, which is still a problem. I don't think that's acceptable.
It's also not logical. Even if we assume that the strongest encryption
available overseas is 2048-bit RSA, that's far more secure than 1024-bit
PGP, which itself (I've heard...) is probably 1-10 million times stronger
than 512-bit PGP, and the last is probably just barely within the reach of
even the NSA with a reasonable amount of resources directed at the task.
Obviously, this means that the best encryption commonly available is so far
beyond what the NSA can decrypt, there appears to be no point in denying
somebody the right to export 3000-bit RSA, when 2048-bit versions are
already in use.
In addition, even if this condition is assumed, there is a question about
whether or not export will or must be automatically approved for any program
which uses encryption equally or less strong than, say, 2048 bit PGP, or
whether they will refuse export of programs which use encryption to
implement functions that are "politically incorrect" despite the fact they
use only "exportable level" encryption. I could mention a specific example,
but if you've followed my essays you already know what I'm talking about.
The government could still deter new and innovative ideas utilizing
encryption that themselves don't already exist overseas.
I think there's a serious enough danger here that we should insist on (at
least) wording that completely takes the decision-making authority out of
the government's hands for encryption that uses the same or less key length
than the maximum available overseas, regardless of its function. I don't
want even this minimal restriction, but if that's what it takes to pass the
Burns bill, it's progress anyway. I'm sure somebody can (or already has)
extend foreign-source PGP to 4096-bit keys to push the limit well beyond any
practical limit, if 2048 bits isn't there already.
Jim Bell
jimbell@pacifier.com
Return to April 1996
Return to “jim bell <jimbell@pacifier.com>”
1996-04-06 (Sun, 7 Apr 1996 06:18:06 +0800) - Re: ACM/IEEE Letter on Cryp - jim bell <jimbell@pacifier.com>