[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Media Advisory: GAK on Dec 5




Reposted for background on the Netscape $5m IOUNSA for its 
insecure future:


Note that Messrs. Clark and Andreeson can't sell their stock 
until two years post IPO.


------------------

Nov. 6, 1995
Contact:  Anne Enright Shepherd
(301) 975-4858
[email protected]


                         MEDIA ADVISORY
          
            U.S. GOVERNMENT SEEKS PUBLIC COMMENT ON
                                
        DRAFT EXPORT CRITERIA FOR KEY ESCROW ENCRYPTION


      Revised proposed export criteria for software encryption 
products using a key  escrow mechanism are now available for 
public review. Public comment will be solicited  at a Dec. 5 
meeting to be held at the Commerce Department's National 
Institute of  Standards and Technology.


     Key escrow encryption is part of the Clinton 
Administration's initiative to promote  the use of strong 
techniques to protect the privacy of data and voice 
transmissions by  companies, government agencies and others 
without compromising the government's  ability to carry out 
lawful electronic surveillance and to execute search warrants 
for  electronically stored communications. The exportability 
criteria being proposed are for  an expedited licensing review 
process for software key escrow encryption products with  keys 
up to 64 bits long.


     The U.S. Interagency Working Group on Encryption and 
Telecommunications, a  body that develops recommendations on 
Administration encryption policies, solicits  additional public 
comment on the revised criteria.
  

     Since the Clinton Administration's Aug. 17, 1995, 
announcement of proposed  liberalization of export control 
procedures for key escrow software products with key  lengths 
up to 64 bits, the working group has met with representatives 
of computer  hardware and software manufacturers, industry 
trade associations and others interested  in providing strong 
security for electronic data and transmissions. Based on 
comments  received to date from industry, the criteria have 
been revised to better reflect  commercial interests while 
balancing the needs of law enforcement and national  security.


     These criteria do not replace or supersede any other 
licensing processes or  criteria. Export applications for other 
types of products will use the existing licensing  process.


     The Dec. 5 meeting, to be held from 9 a.m. to 5 p.m. at 
NIST in Gaithersburg,  Md., is free and open to the public. 
Representatives from the interagency encryption  working group 
will discuss the draft criteria and answer related questions. 


     Those interested in attending the workshop can register 
before Nov. 30 by  sending their name, organization, postal 
address, phone, fax number and e-mail  address to Elaine Frye 
of NIST by fax: (301) 948-1784 or e-mail: [email protected]. 
 For additional information, call (301) 975-2819.


     Once public comments are received and the export criteria 
are given any  necessary clarifications, the Department of 
State is expected to issue guidance  incorporating the criteria 
in early 1996. Products will be reviewed by the State  
Department to verify that they satisfy the final criteria. 
Products meeting the criteria will  be transferred to the 
Commodity Control List administered by the Commerce  
Department's Bureau of Export Administration, where they can be 
exported under a  general license.


The revised proposed export criteria are available on the World 
Wide Web at  http://csrc.ncsl.nist.gov/keyescrow/. Reporters 
may also request a copy from Anne
Enright Shepherd at NIST, (301) 975-2762, fax: (301) 926-1630, 
or e-mail:  [email protected].


-------------------


                        Meeting Announcement

     Draft 64-bit Software Key Escrow Encryption Export 
Criteria


On December 5, 1995, the Commerce Department's National 
Institute of Standards and  Technology (NIST) will sponsor a 
meeting to discuss proposed exportability criteria (11/95  
version) for 64-bit software key escrow encryption.  This 
meeting continues the industry-  government dialog of an 
earlier NIST-sponsored meeting held in September.  At that 
meeting,  officials of the U.S. Interagency Working Group on 
Encryption and Telecommunications  (IWG/ET) met with industry 
representatives and other interested parties to discuss an 
initial draft  of these criteria.  In response to comments 
received, the criteria have been revised with the intent  of 
achieving commercial acceptance within the flexibility 
permitted by law enforcement and  national security 
constraints.  


Changes to the proposed criteria have been made, and a new 
draft is now available for public  review and comment. 


At the upcoming meeting, representatives from the IWG/ET will 
discuss the draft criteria and  answer related questions.  Time 
will follow for industry representatives and other interested 
parties  to comment on the criteria.  Also, breakout sessions 
will be held to discuss each criterion in  greater detail.  At 
a minimum, Government representatives are scheduled to attend 
from the Office of Science and Technology Policy, National 
Security Council, the U.S. Department of State, the  U.S. 
Department of Justice, the U.S. Department of Commerce, the 
National Security Agency,  and the Federal Bureau of 
Investigation.


The meeting will be held on Tuesday, December 5, 1995 from 9:00 
a.m. to 5:00 p.m. at NIST in  Gaithersburg, Maryland in the Red 
Auditorium of the Administration Building.  Please register via 
 e-mail (to "[email protected]") or via fax (301-948-1784) 
before November 30, 1995.  To  register, please provide: 1) 
your name, 2) organization, 3) postal address, 4) phone, 5) fax 
number  and 6) e-mail address.  Alternatively, walk-up 
registration will be available on-site the day of the  meeting. 
 


Directions from Washington, DC: from the Beltway (I-495) take 
I-270 North to Exit 10 (Clopper  Road).  At the first traffic 
light (Bureau Drive), turn left into the main entrance to NIST. 
 Follow  signs to the Administration Building parking lot.  The 
receptionist at the entrance to the  Administration Building 
can provide directions to the Red Auditorium.  


If you would like to make a presentation with your comments on 
the proposed criteria, you are  asked to contact Elaine Frye at 
NIST via e-mail at "[email protected]" or via telephone on 
301-  975-2819 by November 30, 1995.  The number of 
presentations as well as their length may be  limited.  
Presenters (and others wishing to distribute material) are 
asked to bring 250 (attendance  estimate) copies of their 
presentations to the meeting.


-----------------


             Draft Software Key Escrow Encryption Export 
Criteria 
                                (11/95 version)


Export control jurisdiction for a software key escrow 
encryption  product that meets the following criteria, as 
determined by the  U.S. Department of State after a one-time 
review, will be  transferred to the U.S. Department of Commerce 
for export  licensing.  These criteria do not alter existing 
licensing  practices applicable to other encryption products or 
modes. Vendors must still submit other encryption to the U.S. 
Department  of State for review and export licensing, or 
jurisdiction  transfer as appropriate.  Vendors contemplating 
the development  of encryption products are encouraged to 
discuss their export  objectives with the U.S. Government.


Key Escrow Feature


1.    The key(s) required to decrypt the product's key escrow
      cryptographic functions' ciphertext shall be accessible
      through a key escrow feature.


2.    The product's key escrow cryptographic functions shall be
      inoperable until the key(s) is escrowed in accordance 
with
      #3.


3.    The product's key escrow cryptographic functions' key(s)
      shall be escrowed with escrow agent(s) certified by the 
U.S.
      Government, or certified by foreign governments with 
which
      the U.S. Government has formal agreements consistent with
      U.S. law enforcement and national security requirements.


4.    The product's key escrow cryptographic functions' 
ciphertext
      shall contain, in an accessible format and with a 
reasonable
      frequency, the identity of the key escrow agent(s) and
      information sufficient for the escrow agent(s) to 
identify
      the key(s) required to decrypt the ciphertext.


5.    The product's key escrow feature shall allow access to 
the
      key(s) needed to decrypt the product's ciphertext 
regardless
      of whether the product generated or received the 
ciphertext.


6.    The product's key escrow feature shall allow for the
      recovery of multiple decryption keys during the period of
      authorized access without requiring repeated 
presentations
      of the access authorization to the key escrow agent(s).  


Key Length Feature


7.    The product's key escrow cryptographic functions shall 
use
      an unclassified encryption algorithm with a key length 
not
      to exceed sixty-four (64) bits.


8.    The product's key escrow cryptographic functions shall 
not
      provide the feature of multiple encryption (e.g., triple-
      DES).


Interoperability Feature


9.    The product's key escrow cryptographic functions shall
      interoperate only with key escrow cryptographic functions 
in
      products that meet these criteria, and shall not
      interoperate with the cryptographic functions of a 
product
      whose key escrow encryption function has been altered,
      bypassed, disabled, or otherwise rendered inoperative.


Design, Implementation, and Operational Assurance


10.   The product shall be resistant to anything that could
      disable or circumvent the attributes described in #1 
through
      #9.


------------------


                        Background Paper

      Changes to the Criteria Based on Earlier Public Input


The government presented draft criteria (9/95 version) for the  

export of software-based key escrow encryption at an open 
meeting  at NIST on September 6-7, 1995.  Meeting participants 
suggested  several changes to the criteria; the government 
re-drafted the  criteria as described below.  Industry's ideas 
and words were  included when possible and given serious 
consideration consistent  with the protection of fundamental 
interests (e.g., privacy and  national security).


General changes to the document: The document was re-structured 
 to make it clearer.  After the introductory text, related  
criteria are grouped into the following categories:


          a.   key escrow feature

          b.   key length feature

          c.   interoperability feature

          d.   assurances


Changes to the introductory text: The wording has been 
clarified,  and additional words have been included to 
encourage vendors that  are considering building non-escrowed 
encryption products to  discuss their export objectives with 
the government.


Changes to the criteria: The criteria presented at the 
September  6-7 meeting have been modified in the following 
ways:


Old Criterion 1.    Moved to #7; wording clarified.


Old Criterion 2.    Moved to #8; wording clarified.


Old Criterion 3.    Split into #1 and #2 since the original
                    criterion had two major points in it (the
                    requirements for key escrow, and the
                    requirement on when the keys are first
                    escrowed); wording clarified.


Old Criterion 4.    Wording clarified; the notion of
                    accessibility to authorized entities was
                    modified to explicitly state that the
                    required information must be available with 
a
                    reasonable frequency.


Old Criterion 5.    Moved to #10; wording clarified, and the
                    example was deleted so that implementors 
were
                    not misled to believe that the example 
given
                    was the only way of satisfying that
                    requirement.


Old Criterion 6.    Moved to #9; wording clarified, and
                    applicability of this requirement was 
scoped
                    to address interoperability between a
                    product's key escrow mode and a non-key
                    escrow product.


Old Criterion 7.    Moved to #5; wording clarified.


Old Criterion 8.    Moved to #6; wording clarified because the
                    term "repeated involvement" was perceived 
as
                    being too broad.


Old Criterion 9.    Deleted.


Old Criterion 10.   Moved to #3; wording clarified, and
                    requirement modified to not preclude the
                    escrow of key by agents in addition to 
those
                    required by these criteria.


Note:   The September (and November) version of the criteria is
available electronically at:

"http://csrc.ncsl.nist.gov/keyescrow/"



*****************************************************  

Elaine Frye
Computer Systems Laboratory, NIST
Bldg. 225/Rm.B154
Gaithersburg, MD  20899-0001
Voice:   301/975-2819    Fax:  301/948-1784

*****************************************************