[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CRADA robber
I spoke with Dennis Branstad at length a couple of days ago
about just what it means to get involved with NIST in the
Software Key Escrow CRADA. It was a nice conversation and
he told me that he personally didn't seem to think that a workable
system would emerge, but that others felt differently. Plus
the push for a software solution meant that the agency felt
that it should at least explore the topic before dismissing it.
The system seems to be quite commercial. A group of people
and companies petition NIST to get involved with the project
and then a group forms out of a subset of these applications.
Usually this is the team that is most likely to get the job
done. For that reason, people need to bring something to the
project be it expertise, capital or whatever.
At the end, the group owns the intellectual property rights to
what is discovered. This may be something patentable and it could
be worth some money. I don't know how likely this is, but it
seems possible. In fact, it is probably the reason many of the
participants are willing to enter into the project.
The role of NIST is both gatekeeper and fascilitator. They get
everyone together and occasionally push things along. In this
case, they'll also offer some technical assistance which will
include feedback from the NSA. Dennis Branstad said that this would
most likely take the form of Siskel and Ebert-like ratings of the
systems proposed. The NSA would suggest, "Yes" or "No" but they
probably wouldn't go into details. This is because the procedure
would be unclassified and the NSA usually won't relate technical
details without classifying them.
I've read the Federal Register announcement and it really isn't
that interesting. There are only two columns of text and most of
it is devoted to the formatting and standard operating procedures.
This note contains much more information than the announcement itself.
This leaves me with several questions:
* Is this process intended to fail? Will NIST just keep saying that
software isn't good enough and that way they'll be able to answer
the criticism that hardware is too expensive?
* How selective is the group formation process? Are people really
out for money?
* There are supposedly several other groups interested in participating.
Who are they? Is it RSA and PKP?
* Is a software process really that much more insecure than a hardware
based approach? Sure, it is easier to tamper with software, but given
that we can always tamper with the software shell around the Clipper
hardware, it shouldn't be _that_ much different.
-Peter