[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST CSSPAB 6/4/93 Resoluti



  NIST CSSPAB 6/4/93 Resolutions


                 NIST Crypto Resolutions

  Computer System Security and Privacy Advisory Board
                       June 4, 1993

                      Resolution #1

At Mr. Kammer's request we have conducted two days of 
hearings.  The clear message of the majority of input 
was that there are serious concerns regarding the Key 
Escrow Initiative and the Board concurs with these 
concerns.  Many of these issues are still to be fully 
understood and more time is needed to achieving that 
understanding.

Accordingly, this Board resolves to have an additional 
meeting in July 1993 in order to more completely respond 
to Mr. Kammer's request and to fulfill its statutory 
obligations under P.L. 100-235.  The Board recommends 
that the inter-agency review take note of our input 
collected, our preliminary finding, and adjust the 
timetable to allow for resolution of the significant 
issues and problems raised.

Attached to this resolution is a preliminary 
distillation of the serious concerns and problems.


                     Resolution #2

Key escrowing encryption technology represents a 
dramatic change in the nation's information 
infrastructure.  The full implications of this 
encryption technique are not fully understood at this 
time.  Therefore, the Board recommends that key 
escrowing encryption technology not be deployed beyond 
current implementations planned within the Executive 
Branch, until the significant public policy and 
technical issues inherent with this encryption technique 
are fully understood.

[Attachment to Resolution #1]]

-  A convincing statement of the problem that Clipper 
attempts to solve has not been provided.

- Export and important controls over cryptographic 
products must be reviewed.  Based upon data compiled 
from U.S. and international vendors, current controls 
are negatively impacting U.S. competitiveness in the 
world market and are not inhibiting the foreign 
production and use of cryptography (DES and RSA)

- The Clipper/Capstone proposal does not address the 
needs of the software industry, which is a critical and 
significant component of the National Information 
Infrastructure and the U.S. economy.

- Additional DES encryption alternatives and key 
management alternatives should be considered since there 
is a significant installed base.

- The individuals reviewing the Skipjack algorithm and 
key management system must be given an appropriate time 
period and environment in which to perform a thorough 
review.  This review must address the escrow protocol 
and chip implementation as well as the algorithm itself.

- Sufficient information must be provided on the 
proposed key escrow scheme to allow it to be fully 
understood by the general public.  It does not appear to 
be clearly defined at this time and, since it is an 
integral part of the security of the system, it appears 
to require further development and consideration of 
alternatives to the key escrow scheme (e.g., three 
"escrow" entities, one of which is a non-government 
agency, and a software based solution).

- The economic implications for the Clipper/Capstone 
proposal have not been examined.  These costs go beyond 
the vendor cost of the chip and include such factors as 
customer installation, maintenance, administration, chip 
replacement, integration and interfacing, government 
escrow systems costs, etc.

- Legal issues raised by the proposal must be reviewed.

- Congress, as well as the Administration, should play a 
role in the conduct and approval of the results of the 
review.

=======================================================
    NIST Resolutions on Key Escow Issues and Clipper
                       provided by
                 CPSR Washington office
           666 Pennsylvania Ave., SE Suite 303
                  Washington, DC 20003
               [email protected]
=======================================================