From: Jeff Barber <jeffb@issl.atl.hp.com>
Date: Fri, 19 Jul 1996 15:07:37 +0800
To: david@sternlight.com (David Sternlight)
Subject: Re: Gorelick testifies before Senate, unveils new executive order
In-Reply-To: <v03007603ae14644ce4b1@[192.187.162.15]>
Message-ID: <199607190304.XAA17972@jafar.issl.atl.hp.com>
MIME-Version: 1.0
Content-Type: text/plain


David Sternlight writes:
> 
> At 1:32 PM -0700 7/18/96, Jeff Barber wrote:

> >> Let's see what the study group recommends. There are a lot of things the
> >> government can do, and plenty of historical precedent.
> >
> >There *are* a lot of things government can do.  There aren't a lot of
> >things it can do well.  But you want to wait and see what a *government
> >study group* decides to recommend?  Gee, who can guess what they'll decide?
> 
> You should do your homework. It's going to have a lot of industry people on
> it and be chaired by an industry person.

This isn't the same panel I saw mentioned on this list.  That one had,
as I recall, two individuals being selected by each of several cabinet 
departments and executive agencies.


> Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's,
> or AT&T's domestic computer networks has little to do with crypto export
> policy.

Big companies like IBM, AT&T, etc. have *international* networks.  Hence,
the connection to the crypto export policy, which prevents comprehensive
security programs from being deployed.  As a "senior techinical executive"
(oxymoron alert) to Fortune 50 companies, I assume you know that and are
simply choosing to ignore it for the sake of your current argument.


> >Putting the government in charge of fixing security problems is likely
> >to result in an infrastructure optimized for surveillance, as we've seen
> >with other government-sponsored initiatives (Clipper, DigitalTelephony,
> >etc.).
> 
> The subject matter of the Commission's inquiry has more to do with
> authentication than message encryption, and more to do with infrastructure
> and network security. And as it happens there is no problem getting export
> licenses for authentication-only software with as secure a key as you like
> and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page
> as this issue.

There is more to security than authentication, as I'm sure you also know
but are choosing to ignore.  Authentication alone may suffice in some
situations but clearly not all.  And in fact, this merely supports my
point: left to government's preference, we'll all be well-authenticated
when the surveillance tapes are introduced into evidence. (:-)


> Again, you are trying to fight a different battle in the wrong arena.
> This isn't about your ability to encrypt your traffic. It's about securing
> the domestic infrastructure against information warfare. I know this is
> beginning to sound tiresome, but you'd better do your homework.

Indeed.  This isn't a different battle, though; it's all interwoven.
I don't want the government responsible for "securing the domestic
infrastructure..." for the same reason that I don't want them telling
me where or to whom I can sell crypto.  They haven't any right to, IMO,
and besides, I don't trust them to look out for my interests.


-- Jeff