From: Hal Finney <hal@rain.org>
Date: Mon, 18 Nov 1996 10:09:19 -0800 (PST)
To: cypherpunks@toad.com
Subject: HP proposal available
Message-ID: <199611181809.KAA27124@crypt.hfinney.com>
MIME-Version: 1.0
Content-Type: text/plain


HP has put up info on its crypto proposal at http://www.hp.com/go/icf.
You can also try http://www.dmo.hp.com/gsy/security/icf/main.html if that
URL is slow.

The basic idea is what we had been speculating, their old
"International Cryptography Framework" based on hardware crypto cards.
It has now been given government approval, which is no big surprise
since the system looks like it's been designed by fed bootlickers.

The claim of other companies signing on is less impressive than it
sounds.  They're using Microsoft's Crypto API, and of course Microsoft
would like plenty of companies to use it.  Intel offers to build some
hardware, which is more business for them.  "Netscape and VeriFone are
exploring a wide range of uses for ICF technology."  That's all they
say about those companies.  This is hardly a commitment; Netscape and
other companies generally keep abreast of everything happening in the
field to keep their options open.  So this is not a resounding
endorsement.

The one good thing about the plan is that since it is very complicated
and requires specialized hardware, we probably won't see any impact from
it for years.  Hopefully it will be obsolete before it can be deployed.

The plan itself is an NSA wet dream.  Not only do you need a token
from Big Brother to activate the crypto in your computer (the token
can be hardware or software, but the crypto card itself apparently
must be hardware), it's also necessary for any application which wants
to use crypto to supply an application specific certificate to the card.
This lets the law enforcement bureaucrats not only determine who gets to
use crypto, but which applications get access to it.  If you want to build
an app which will use crypto you'll have to get permission from the
authorities in order for them to give you a certificate which you can
compile in to let your app run.

The one thing which was not clear was how much of these rules would apply
within the U.S.  In fact notably missing from the press release, white
paper, overviews, slides, etc. on the web site was any discussion of civil
liberties impact.  It certainly was not listed as one of the considerations
in the design of the system.

Overall, I'd say this is just HP trumpeting the unsurprising government
approval of their ICF system and turning it into a press event by providing
some lukewarm "endorsements" from well known companies.  This system looks
to me like it's got a long way to go before it becomes a widely used
standard.

Hal