[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

reaction to Infoworld NIST/NSA queries



This is very interesting information, because it is extremely current
and represents the first direct reactions by the behind-the-scenes
authorities on some crucial aspects of Clipper and its scalding reception.

>   It should also be understood that the use of products
>   implementing the key escrow encryption microcircuit is
>   voluntary. There has been no attempt to either mandate its use
>   or to deny the entry of other encryption technologies into the
>   marketplace.

Note in the answer to `has acrimony lessened the government commitment'
the feeble whimpering ultimately falls back on the aspect that it is
voluntary. Ah, the last refuge of these scoundrels! If there are any
plans to restrict or limit domestic cryptography, the policy-makers
(and I use the term loosely) are painting themselves into a corner. If
the only redeeming feature of Clipper is that it is voluntary, then
anything less is wholly unredeeming! But again, the text conspicuously
does not rule out that option.

>   Finally, the system will be designed to ensure that law
>   enforcement destroys the keys it receives when its authority
>   to conduct the electronic surveillance has expired.

Correct me if I'm wrong, but this is the first time I've seen any
official indication of this requirement to `destroy keys after
surveillance' -- this *is* clearly an extremely serious weakness with
the scheme, and I don't use past tense there because this lip service
doesn't remedy it in the least. However, we can take consolation: it
appears there have been direct responses to the criticisms of the key
escrow aspects. In fact, they appear to have the key-escrow issues
thought out to the least (hence my very uneasy suspicions), were
surprised by the focused critical analysis, and have been consistently
attempting to strengthen the `baroque activities in a vault' (as one
esteemed cypherpunk put it). The attempts look a little bit like
desperate scramblings to me. They still don't have a clue on the escrow agencies!

>   Should a broader export policy be adopted, we
>   believe products implementing the key escrow technology will
>   find favor among consumers who desire the superb encryption
>   security offered.
 
`superb'? hee, hee. First claim of security outside of the `superior to
many other schemes on the market' weasel quote in the announcement.
This sounds like vintage Sternlight.

>Q. If Clipper would be the standard, would the use of non-Clipper
>   encryption devices be outlawed? If so, how would you find out
>   who was using these non-Clipper devices?
> 
>A. No. Use of key-escrowed products by the private sector would
>   be entirely voluntary.

here they appear to be directly suggesting that they will *not* attempt
domestic cryptographic restriction. (?)

>   Federal agencies will have the option
>   of using this technology once it becomes a Federal Information
>   Processing Standard.

This little FIPS thing (Federal Information Processing Standard) is
clearly very important to all the Clipper conspirators right now
(Bidzos is plugging it too, and it was in the PKP-NSA-DSA patent
agreement announcement). Is there some way to sabotage the FIPS
process? Cypherpunks, this is a critical window.

>A. NIST will recommend that DES be renewed for another five years
>   as a Federal Information Processing Standard.

wow, I don't recall seeing that before.

>A. Again, we must emphasize that use of this technology is
>   voluntary. Software containing other cryptosystems is still
>   available to consumers.

they plug the `voluntary' bit so much here you'd think they're talking
about Bush's Thousand Points of Light.

>A. We expect the key escrow microcircuits will be enhanced to keep
>   pace with future data requirements.

hee, hee. They can't even keep up with *current* requirements. The
chips last for an astonishingly durable 2 days. (Actually, with Clipper
this is a very attractive feature!)

>   That does not mean, however, that a government-imposed
>   security policy is appropriate. Government must be actively
>   involved in setting computer security standards for its own
>   use and making its technology, expertise and guidance
>   available to the private sector when requested and
>   appropriate.

wow. At first I thought this was a typo and the statement was supposed
to be `does not mean it is *in*appropriate'.  `when requested and
appropriate'? Good lord, is this the NSA talking or did they have the
day off? Maybe they actually understand they have no domestic legal
regulatory standing whatsoever.