[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Media Advisory: GAK on Dec 5
Reposted for background on the Netscape $5m IOUNSA for its
insecure future:
Note that Messrs. Clark and Andreeson can't sell their stock
until two years post IPO.
------------------
Nov. 6, 1995
Contact: Anne Enright Shepherd
(301) 975-4858
[email protected]
MEDIA ADVISORY
U.S. GOVERNMENT SEEKS PUBLIC COMMENT ON
DRAFT EXPORT CRITERIA FOR KEY ESCROW ENCRYPTION
Revised proposed export criteria for software encryption
products using a key escrow mechanism are now available for
public review. Public comment will be solicited at a Dec. 5
meeting to be held at the Commerce Department's National
Institute of Standards and Technology.
Key escrow encryption is part of the Clinton
Administration's initiative to promote the use of strong
techniques to protect the privacy of data and voice
transmissions by companies, government agencies and others
without compromising the government's ability to carry out
lawful electronic surveillance and to execute search warrants
for electronically stored communications. The exportability
criteria being proposed are for an expedited licensing review
process for software key escrow encryption products with keys
up to 64 bits long.
The U.S. Interagency Working Group on Encryption and
Telecommunications, a body that develops recommendations on
Administration encryption policies, solicits additional public
comment on the revised criteria.
Since the Clinton Administration's Aug. 17, 1995,
announcement of proposed liberalization of export control
procedures for key escrow software products with key lengths
up to 64 bits, the working group has met with representatives
of computer hardware and software manufacturers, industry
trade associations and others interested in providing strong
security for electronic data and transmissions. Based on
comments received to date from industry, the criteria have
been revised to better reflect commercial interests while
balancing the needs of law enforcement and national security.
These criteria do not replace or supersede any other
licensing processes or criteria. Export applications for other
types of products will use the existing licensing process.
The Dec. 5 meeting, to be held from 9 a.m. to 5 p.m. at
NIST in Gaithersburg, Md., is free and open to the public.
Representatives from the interagency encryption working group
will discuss the draft criteria and answer related questions.
Those interested in attending the workshop can register
before Nov. 30 by sending their name, organization, postal
address, phone, fax number and e-mail address to Elaine Frye
of NIST by fax: (301) 948-1784 or e-mail: [email protected].
For additional information, call (301) 975-2819.
Once public comments are received and the export criteria
are given any necessary clarifications, the Department of
State is expected to issue guidance incorporating the criteria
in early 1996. Products will be reviewed by the State
Department to verify that they satisfy the final criteria.
Products meeting the criteria will be transferred to the
Commodity Control List administered by the Commerce
Department's Bureau of Export Administration, where they can be
exported under a general license.
The revised proposed export criteria are available on the World
Wide Web at http://csrc.ncsl.nist.gov/keyescrow/. Reporters
may also request a copy from Anne
Enright Shepherd at NIST, (301) 975-2762, fax: (301) 926-1630,
or e-mail: [email protected].
-------------------
Meeting Announcement
Draft 64-bit Software Key Escrow Encryption Export
Criteria
On December 5, 1995, the Commerce Department's National
Institute of Standards and Technology (NIST) will sponsor a
meeting to discuss proposed exportability criteria (11/95
version) for 64-bit software key escrow encryption. This
meeting continues the industry- government dialog of an
earlier NIST-sponsored meeting held in September. At that
meeting, officials of the U.S. Interagency Working Group on
Encryption and Telecommunications (IWG/ET) met with industry
representatives and other interested parties to discuss an
initial draft of these criteria. In response to comments
received, the criteria have been revised with the intent of
achieving commercial acceptance within the flexibility
permitted by law enforcement and national security
constraints.
Changes to the proposed criteria have been made, and a new
draft is now available for public review and comment.
At the upcoming meeting, representatives from the IWG/ET will
discuss the draft criteria and answer related questions. Time
will follow for industry representatives and other interested
parties to comment on the criteria. Also, breakout sessions
will be held to discuss each criterion in greater detail. At
a minimum, Government representatives are scheduled to attend
from the Office of Science and Technology Policy, National
Security Council, the U.S. Department of State, the U.S.
Department of Justice, the U.S. Department of Commerce, the
National Security Agency, and the Federal Bureau of
Investigation.
The meeting will be held on Tuesday, December 5, 1995 from 9:00
a.m. to 5:00 p.m. at NIST in Gaithersburg, Maryland in the Red
Auditorium of the Administration Building. Please register via
e-mail (to "[email protected]") or via fax (301-948-1784)
before November 30, 1995. To register, please provide: 1)
your name, 2) organization, 3) postal address, 4) phone, 5) fax
number and 6) e-mail address. Alternatively, walk-up
registration will be available on-site the day of the meeting.
Directions from Washington, DC: from the Beltway (I-495) take
I-270 North to Exit 10 (Clopper Road). At the first traffic
light (Bureau Drive), turn left into the main entrance to NIST.
Follow signs to the Administration Building parking lot. The
receptionist at the entrance to the Administration Building
can provide directions to the Red Auditorium.
If you would like to make a presentation with your comments on
the proposed criteria, you are asked to contact Elaine Frye at
NIST via e-mail at "[email protected]" or via telephone on
301- 975-2819 by November 30, 1995. The number of
presentations as well as their length may be limited.
Presenters (and others wishing to distribute material) are
asked to bring 250 (attendance estimate) copies of their
presentations to the meeting.
-----------------
Draft Software Key Escrow Encryption Export
Criteria
(11/95 version)
Export control jurisdiction for a software key escrow
encryption product that meets the following criteria, as
determined by the U.S. Department of State after a one-time
review, will be transferred to the U.S. Department of Commerce
for export licensing. These criteria do not alter existing
licensing practices applicable to other encryption products or
modes. Vendors must still submit other encryption to the U.S.
Department of State for review and export licensing, or
jurisdiction transfer as appropriate. Vendors contemplating
the development of encryption products are encouraged to
discuss their export objectives with the U.S. Government.
Key Escrow Feature
1. The key(s) required to decrypt the product's key escrow
cryptographic functions' ciphertext shall be accessible
through a key escrow feature.
2. The product's key escrow cryptographic functions shall be
inoperable until the key(s) is escrowed in accordance
with
#3.
3. The product's key escrow cryptographic functions' key(s)
shall be escrowed with escrow agent(s) certified by the
U.S.
Government, or certified by foreign governments with
which
the U.S. Government has formal agreements consistent with
U.S. law enforcement and national security requirements.
4. The product's key escrow cryptographic functions'
ciphertext
shall contain, in an accessible format and with a
reasonable
frequency, the identity of the key escrow agent(s) and
information sufficient for the escrow agent(s) to
identify
the key(s) required to decrypt the ciphertext.
5. The product's key escrow feature shall allow access to
the
key(s) needed to decrypt the product's ciphertext
regardless
of whether the product generated or received the
ciphertext.
6. The product's key escrow feature shall allow for the
recovery of multiple decryption keys during the period of
authorized access without requiring repeated
presentations
of the access authorization to the key escrow agent(s).
Key Length Feature
7. The product's key escrow cryptographic functions shall
use
an unclassified encryption algorithm with a key length
not
to exceed sixty-four (64) bits.
8. The product's key escrow cryptographic functions shall
not
provide the feature of multiple encryption (e.g., triple-
DES).
Interoperability Feature
9. The product's key escrow cryptographic functions shall
interoperate only with key escrow cryptographic functions
in
products that meet these criteria, and shall not
interoperate with the cryptographic functions of a
product
whose key escrow encryption function has been altered,
bypassed, disabled, or otherwise rendered inoperative.
Design, Implementation, and Operational Assurance
10. The product shall be resistant to anything that could
disable or circumvent the attributes described in #1
through
#9.
------------------
Background Paper
Changes to the Criteria Based on Earlier Public Input
The government presented draft criteria (9/95 version) for the
export of software-based key escrow encryption at an open
meeting at NIST on September 6-7, 1995. Meeting participants
suggested several changes to the criteria; the government
re-drafted the criteria as described below. Industry's ideas
and words were included when possible and given serious
consideration consistent with the protection of fundamental
interests (e.g., privacy and national security).
General changes to the document: The document was re-structured
to make it clearer. After the introductory text, related
criteria are grouped into the following categories:
a. key escrow feature
b. key length feature
c. interoperability feature
d. assurances
Changes to the introductory text: The wording has been
clarified, and additional words have been included to
encourage vendors that are considering building non-escrowed
encryption products to discuss their export objectives with
the government.
Changes to the criteria: The criteria presented at the
September 6-7 meeting have been modified in the following
ways:
Old Criterion 1. Moved to #7; wording clarified.
Old Criterion 2. Moved to #8; wording clarified.
Old Criterion 3. Split into #1 and #2 since the original
criterion had two major points in it (the
requirements for key escrow, and the
requirement on when the keys are first
escrowed); wording clarified.
Old Criterion 4. Wording clarified; the notion of
accessibility to authorized entities was
modified to explicitly state that the
required information must be available with
a
reasonable frequency.
Old Criterion 5. Moved to #10; wording clarified, and the
example was deleted so that implementors
were
not misled to believe that the example
given
was the only way of satisfying that
requirement.
Old Criterion 6. Moved to #9; wording clarified, and
applicability of this requirement was
scoped
to address interoperability between a
product's key escrow mode and a non-key
escrow product.
Old Criterion 7. Moved to #5; wording clarified.
Old Criterion 8. Moved to #6; wording clarified because the
term "repeated involvement" was perceived
as
being too broad.
Old Criterion 9. Deleted.
Old Criterion 10. Moved to #3; wording clarified, and
requirement modified to not preclude the
escrow of key by agents in addition to
those
required by these criteria.
Note: The September (and November) version of the criteria is
available electronically at:
"http://csrc.ncsl.nist.gov/keyescrow/"
*****************************************************
Elaine Frye
Computer Systems Laboratory, NIST
Bldg. 225/Rm.B154
Gaithersburg, MD 20899-0001
Voice: 301/975-2819 Fax: 301/948-1784
*****************************************************