[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NRC Cryptography Report: The Text of the Recommendations
On Thu, 30 May 1996, Hal wrote:
> Second, although they go to some lengths to emphasize the importance of
> an open, unclassified process, and that the report itself is completely
> unclassified, there are some curios omissions. For example,
> recommendation 4.1 is that 56-bit DES encryption should be exportable.
> However, they follow that by saying, "Products covered under
> Recommendation 4.1 must be designed in a way that would preclude their
> repeated use to increase confidentiality beyond the acceptable level."
That is a modest misreading of the statement -- what it says is a sort of
"generally available" requirement that the committee did a _BIG_ job of
trying to soft-pedal at the conference. Especially when PGP was
mentioned, they said "well, it's not _really_ a 'generally available'
recommendation." But it _is_. One Cypherpunk at the meeting suggested
to me that they knew if PGP was mentioned, heads would roll, and this
might be a quiet way of sneaking that in.
> I also think it is sneaky that they bury this limitation in text which
> will not be seen by people who read only the recommendations.
Yep, but OTOH, how much can they fit into a decent blurb anyways, which
is all the actual recommendation text is?
> Overall, I am disappointed that the report seems to adopt so much of the
> point of view of those forces which will oppose the use of cryptography.
> At best it seems to be a recognition that change is inevitable, and that
> the most that can be hoped for is to ease the transition to a world where
> people have free access to privacy tools. But in the meantime it appears
> designed to delay the transition rather than advance it.
Which is as good as we could hope for from a government-sponsored report,
whose team was required to include members of the intelligence community,
and which those members know will be looked at seriously by congress.
While on the one hand I'm disappointed, OTOH it was much better than I
expected it to be. While it is essentially a "status quo" sort of
report, it still allows us to deploy strong crypto now.
What I was most disappointed with was that (as far as I've found so far
-- I've not slogged my way through the entire 500+ page report quite yet)
CAPIs are totally ignored (although described in an appendix, I haven't
yet been able to find any reference with regards to exporting them)
thus leaving the "crypto in the hole" issue up in the air...
----------
Jon Lasser (410)532-7138 - Obscenity is a crutch for
[email protected] inarticulate motherfuckers.
http://www.goucher.edu/~jlasser/
Finger for PGP key (1024/EC001E4D) - Fuck the CDA.