[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NIST CSSPAB 6/4/93 Resoluti
- To: CYPHERPUNKS <[email protected]>
- Subject: NIST CSSPAB 6/4/93 Resoluti
- From: Dave Banisar <[email protected]>
- Date: Fri, 4 Jun 1993 20:46:59 EST
- Organization: CPSR Civil Liberties and Computing Project
NIST CSSPAB 6/4/93 Resolutions
NIST Crypto Resolutions
Computer System Security and Privacy Advisory Board
June 4, 1993
Resolution #1
At Mr. Kammer's request we have conducted two days of
hearings. The clear message of the majority of input
was that there are serious concerns regarding the Key
Escrow Initiative and the Board concurs with these
concerns. Many of these issues are still to be fully
understood and more time is needed to achieving that
understanding.
Accordingly, this Board resolves to have an additional
meeting in July 1993 in order to more completely respond
to Mr. Kammer's request and to fulfill its statutory
obligations under P.L. 100-235. The Board recommends
that the inter-agency review take note of our input
collected, our preliminary finding, and adjust the
timetable to allow for resolution of the significant
issues and problems raised.
Attached to this resolution is a preliminary
distillation of the serious concerns and problems.
Resolution #2
Key escrowing encryption technology represents a
dramatic change in the nation's information
infrastructure. The full implications of this
encryption technique are not fully understood at this
time. Therefore, the Board recommends that key
escrowing encryption technology not be deployed beyond
current implementations planned within the Executive
Branch, until the significant public policy and
technical issues inherent with this encryption technique
are fully understood.
[Attachment to Resolution #1]]
- A convincing statement of the problem that Clipper
attempts to solve has not been provided.
- Export and important controls over cryptographic
products must be reviewed. Based upon data compiled
from U.S. and international vendors, current controls
are negatively impacting U.S. competitiveness in the
world market and are not inhibiting the foreign
production and use of cryptography (DES and RSA)
- The Clipper/Capstone proposal does not address the
needs of the software industry, which is a critical and
significant component of the National Information
Infrastructure and the U.S. economy.
- Additional DES encryption alternatives and key
management alternatives should be considered since there
is a significant installed base.
- The individuals reviewing the Skipjack algorithm and
key management system must be given an appropriate time
period and environment in which to perform a thorough
review. This review must address the escrow protocol
and chip implementation as well as the algorithm itself.
- Sufficient information must be provided on the
proposed key escrow scheme to allow it to be fully
understood by the general public. It does not appear to
be clearly defined at this time and, since it is an
integral part of the security of the system, it appears
to require further development and consideration of
alternatives to the key escrow scheme (e.g., three
"escrow" entities, one of which is a non-government
agency, and a software based solution).
- The economic implications for the Clipper/Capstone
proposal have not been examined. These costs go beyond
the vendor cost of the chip and include such factors as
customer installation, maintenance, administration, chip
replacement, integration and interfacing, government
escrow systems costs, etc.
- Legal issues raised by the proposal must be reviewed.
- Congress, as well as the Administration, should play a
role in the conduct and approval of the results of the
review.
=======================================================
NIST Resolutions on Key Escow Issues and Clipper
provided by
CPSR Washington office
666 Pennsylvania Ave., SE Suite 303
Washington, DC 20003
[email protected]
=======================================================