[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST Open Meeting



This message is forwarded from RISKS Digest (14.59)
 
8<---------- Begin forwarded message --------------
 
Date: Tue, 11 May 93 13:42:18 EDT
From: Clipper-Capstone Chip Info <[email protected]>
Organization: National Institute of Standards and Technology (NIST)
Subject: NIST Advisory Board Seeks Comments on Crypto
 
Note: This file has been posted to the following groups:
      RISKS Forum, Privacy Forum, Sci.crypt, Alt.privacy.clipper
 
and will be made available for anonymous ftp from csrc.ncsl.nist.gov,
filename pub/nistgen/cryptmtg.txt and for download from the NIST 
Computer Security BBS, 301-948-5717, filename cryptmtg.txt.
 
Note: The following notice is scheduled to appear in the Federal Register
this week.  The notice announces a meeting of the Computer System 
Security
and Privacy Advisory Board (established by the Computer Security Act of
1987) and solicits public and industry comments on a wide range of
cryptographic issues. Please note that submissions due by 4:00 p.m.
May 27, 1993.
 
 
                            DEPARTMENT OF COMMERCE
                National Institute of Standards and Technology
 
                          Announcing a Meeting of the
              COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
 
AGENCY:   National Institute of Standards and Technology 
 
ACTION:   Notice of Open Meeting
 
SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C. App.,
notice is hereby given that the Computer System Security and Privacy
Advisory Board will meet Wednesday, June 2, 1993, from 9:00 a.m. to
5:00 p.m., Thursday, June 3, 1993, from 9:00 a.m. to 5:00 p.m., and
Friday, June 4, 1993 from 9:00 a.m. to 1:00 p.m.  The Advisory Board
was established by the Computer Security Act of 1987 (P.L. 100-235)
to advise the Secretary of Commerce and the Director of NIST on
security and privacy issues pertaining to Federal computer systems and
report its findings to the Secretary of Commerce, the Director of the
Office of Management and Budget, the Director of the National Security
Agency, and the appropriate committees of the Congress.  All sessions
will be open to the public.
 
DATES: The meeting will be held on June 2-4 1993.  On June 2 and 3,
1993 the meeting will take place from 9:00 a.m. to 5:00 p.m. and on
June 4, 1993 from 9:00 a.m. to 1:00 p.m.
 
Public submissions (as described below) are due by 4:00 p.m.  (EDT)
May 27, 1993 to allow for sufficient time for distribution to and
review by Board members.
 
ADDRESS: The meeting will take place at the National Institute of
Standards and Technology, Gaithersburg, MD.  On June 2, 1993, the
meeting will be held in the Administration Building, "Red
Auditorium," on June 3 the meeting will be held in the
Administration Building, "Green Auditorium," and on June 4,
1993 in the Administration Building, Lecture Room "B."
 
Submissions (as described below), including copyright waiver if
required, should be addressed to: Cryptographic Issue Statements,
Computer System Security and Privacy Advisory Board, Technology
Building, Room B-154, National Institute of Standards and
Technology, Gaithersburg, MD, 20899 or via FAX to 301/948-1784.
Submissions, including copyright waiver if required, may also
be sent electronically to "[email protected]".
 
AGENDA:
 
- Welcome and Review of Meeting Agenda
- Government-developed "Key Escrow" Chip Announcement Review
- Discussion of Escrowed Cryptographic Key Technologies
- Review of Submitted Issue Papers
- Position Presentations & Discussion
- Public Participation
- Annual Report and Pending Business
- Close
 
PUBLIC PARTICIPATION:  
 
This Advisory Board meeting will be devoted to the issue of the
Administration's recently announced government-developed "key escrow"
chip cryptographic technology and, more broadly, to public use of
cryptography and government cryptographic policies and regulations.
The Board has been asked by NIST to obtain public comments on this
matter for submission to NIST for the national review that the
Administration's has announced it will conduct of
cryptographic-related issues.  Therefore, the Board is interested
in: 1) obtaining public views and reactions to the
government-developed "key escrow" chip technology announcement,
"key escrow" technology generally, and government cryptographic
policies and regulations 2) hearing selected summaries of written
views that have been submitted, and 3) conducting a general
discussion of these issues in public.
 
The Board solicits all interested parties to submit well-written,
concise issue papers, position statements, and background
materials on areas such as those listed below.  Industry input is
particularly encouraged in addressing the questions below.  
 
Because of the volume of responses expected, submittors are asked to
identify the issues above to which their submission(s) are responsive.
Submittors should be aware that copyrighted documents cannot be accepted
unless a written waiver is included concurrently with the submission to
allow NIST to reproduce the material.  Also, company proprietary
information should not be included, since submissions will be made
publicly available.
 
This meeting specifically will not be a tutorial or briefing on
technical details of the government-developed "key escrow" chip or
escrowed cryptographic key technologies.  Those wishing to address
the Board and/or submit written position statements are requested
to be thoroughly familiar with the topic and to have concise,
well-formulated opinions on its societal ramifications.
 
Issues on which comments are sought include the following:
 
1.    CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES
 
Public and Social policy aspects of the government-developed "key
escrow" chip and, more generally, escrowed key technology and government
cryptographic policies.
 
Issues involved in balancing various interests affected by government
cryptographic policies.
 
2.    LEGAL AND CONSTITUTIONAL ISSUES
 
Consequences of the government-developed "key escrow" chip technology
and, more generally, key escrow technology and government cryptographic
policies.
 
3.    INDIVIDUAL PRIVACY
 
Issues and impacts of cryptographic-related statutes, regulations, and
standards, both national and international, upon individual privacy.
 
Issues related to the privacy impacts of the government-developed "key
escrow" chip and "key escrow" technology generally.
 
4.    QUESTIONS DIRECTED TO AMERICAN INDUSTRY
 
4.A  Industry Questions: U.S. Export Controls
 
4.A.1 Exports - General 
 
What has been the impact on industry of past export controls on products
with password and data security features for voice or data?
 
Can such an impact, if any, be quantified in terms of lost export sales
or market share?  If yes, please provide that impact.
 
How many exports involving cryptographic products did you attempt over
the last five years?  How many were denied?  What reason was given for
denial?
 
Can you provide documentation of sales of cryptographic equipment which
were lost to a foreign competitor, due solely to U.S. Export Regulations.
 
What are the current market trends for the export sales of information
security devices implemented in hardware solutions?  For software
solutions?
 
4.A.2  Exports - Software
 
If the U.S. software producers of mass market or general purpose software
(word processing, spreadsheets, operating environments, accounting,
graphics, etc.) are prohibited from exporting such packages with file
encryption capabilities, what foreign competitors in what countries are
able and willing to take foreign market share from U.S. producers by
supplying file encryption capabilities?
 
What is the impact on the export market share and dollar sales of the
U.S. software industry if a relatively inexpensive hardware solution
for voice or data encryption is available such as the 
government-developed
"key escrow" chip?
 
What has been the impact of U.S. export controls on COMPUTER UTILITIES
software packages such as Norton Utilities and PCTools?
 
What has been the impact of U.S. export controls on exporters of OTHER
SOFTWARE PACKAGES (e.g., word processing) containing file encryption
capabilities?
 
What information does industry have that Data Encryption Standard (DES)
based software programs are widely available abroad in software
applications programs?
 
4.A.3  Exports - Hardware
 
Measured in dollar sales, units, and transactions, what have been
the historic exports for:
 
            Standard telephone sets
            Cellular telephone sets
            Personal computers and work stations            
            FAX machines
            Modems
            Telephone switches
 
What are the projected export sales of these products if there is no
change in export control policy and if the government- developed "key
escrow" chip is not made available to industry?
 
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above 
products,
the above products are freely available at an additional price of no more
than $25.00, and the above products are exported WITHOUT ADDITIONAL
LICENSING REQUIREMENTS?
 
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above 
products,
the above products are freely available at an additional price of no more
than $25.00, and the above products are to be exported WITH AN ITAR
MUNITIONS LICENSING REQUIREMENT for all destinations?
 
What are the projected export sales of these products if the
government-developed "key escrow" chip is installed in the above
products, the above products are freely available at an additional price
of no more than $25.00, and the above products are to be exported WITH
A DEPARTMENT OF COMMERCE LICENSING REQUIREMENT for all destinations?
 
4.A.4  Exports - Advanced Telecommunications 
 
What has been the impact on industry of past export controls on other
advanced telecommunications products?
 
Can such an impact on the export of other advanced telecommunications
products, if any, be quantified in terms of lost export sales or market
share? If yes, provide that impact.
 
4.B  Industry Questions:  Foreign Import/Export Regulations
 
How do regulations of foreign countries affect the import and export of
products containing cryptographic functions?  Specific examples of
countries and regulations will prove useful.
 
4.C  Industry Questions: Customer Requirements for Cryptography
 
What are current and future customer requirements for information
security by function and industry?  For example, what are current
and future customer requirements for domestic banking,
international banking, funds transfer systems, automatic teller
systems, payroll records, financial information, business plans,
competitive strategy plans, cost analyses, research and development
records, technology trade secrets, personal privacy for voice
communications, and so forth?  What might be good sources of such
data?
 
What impact do U.S. Government mandated information security standards
for defense contracts have upon demands by other commercial users for
information security systems in the U.S.?  In foreign markets?
 
What threats are your product designed to protect against?  What threats
do you consider unaddressed?
 
What demand do you foresee for a) cryptographic only products, and
b) products incorporating cryptography in: 1) the domestic market,
2) in the foreign-only market, and 3) in the global market?
 
4.D  Industry Questions:  Standards
 
If the European Community were to announce a non-DES, non-public key
European Community Encryption Standard (ECES), how would your company
react?  Include the new standard in product line?  Withdraw from the
market?  Wait and see?
 
What are the impacts of government cryptographic standards on U.S.
industry (e.g., Federal Information Processing Standard 46-1 [the
Data Encryption Standard] and the proposed Digital Signature Standard)?
 
5.  QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY
 
5.A  American Business:  Threats and Security Requirements
 
Describe, in detail, the threat(s), to which you are exposed and which
you believe cryptographic solutions can address.
 
Please provide actual incidents of U.S. business experiences with
economic espionage which could have been thwarted by applications of
cryptographic technologies.
 
What are the relevant standards of care that businesses must apply to
safeguard information and what are the sources of those standards other
than Federal standards for government contractors?
 
What are U.S. business experiences with the use of cryptography to
protect against economic espionage, (including current and projected
investment levels in cryptographic products)?
 
5.B  American Business:  Use of Cryptography
 
Describe the types of cryptographic products now in use by your
organization. Describe the protection they provide (e.g., data
encryption or data integrity through digital signatures).  Please
indicate how these products are being used.
 
Describe any problems you have encountered in finding, installing,
operating, importing, or exporting cryptographic devices.
 
Describe current and future uses of cryptographic technology to
protect commercial information (including types of information being
protected and against what threats).
 
Which factors in the list below inhibit your use of cryptographic
products?
 
Please rank:
 
--    no need
--    no appropriate product on market
--    fear of interoperability problems
--    regulatory concerns
--       a) U.S. export laws
--       b) foreign country regulations
--       c) other
--    cost of equipment
--    cost of operation
--    other
 
Please comment on any of these factors.
 
In your opinion, what is the one most important unaddressed need
involving cryptographic technology?
 
Please provide your views on the adequacy of the government-developed
"key escrow" chip technological approach for the protection of all your
international voice and data communication requirements.  Comments on
other U.S. Government cryptographic standards?
 
6.  OTHER
 
Please describe any other impacts arising from Federal government
cryptographic policies and regulations.
 
Please describe any other impacts upon the Federal government in the
protection of unclassified computer systems.
 
Are there any other comments you wish to share?
 
The Board agenda will include a period of time, not to exceed ten hours,
for oral presentations of summaries of selected written statements
submitted to the Board by May 27, 1993.  As appropriate and to the
extent possible, speakers addressing the same topic will be grouped
together.  Speakers, prescheduled by the Secretariat and notified in
advance, will be allotted fifteen to thirty minutes to orally present
their written statements. Individuals and organizations submitting
written materials are requested to advise the Secretariat if they
would be interested in orally summarizing their materials for the
Board at the meeting.
 
Another period of time, not to exceed one hour, will be reserved for
oral comments and questions from the public.  Each speaker will be
allotted up to five minutes; it will be necessary to strictly control
the length of presentations to maximize public participation and the
number of presentations.
 
Except as provided for above, participation in the Board's discussions
during the meeting will be at the discretion of the Designated Federal
Official.
 
Approximately thirty seats will be available for the public, including
three seats reserved for the media.  Seats will be available on a
first-come, first-served basis.
 
FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive Secretary
and Associate Director for Computer Security, Computer Systems
Laboratory, National Institute of Standards and Technology, Building
225, Room B154, Gaithersburg, Maryland 20899, telephone: (301) 975-3240.
 
SUPPLEMENTARY INFORMATION: Background information on the government-
developed "key escrow" chip proposal is available from the Board
Secretariat; see address in "for further information" section.  Also,
information on the government-developed "key escrow" chip is available
electronically from the NIST computer security bulletin board, phone
301-948-5717.
 
The Board intends to stress the public and social policy aspects, the
legal and Constitutional consequences of this technology, and the impacts
upon American business and industry during its meeting.
 
It is the Board's intention to create, as a product of this meeting, a
publicly available digest of the important points of discussion,
conclusions (if any) that might be reached, and an inventory of the
policy issues that need to be considered by the government.  Within the
procedures described above, public participation is encouraged and
solicited.
 
/signed/
Raymond G. Kammer, Acting Director
 
May 10, 1993
 
8<--------- End forwarded message ----------------

I didn't see "Clipper" or "Capstone" or "SkipJack" mention once in the 
entire post. What did they do -- drop the name?
 
I'm starting on my own submission for presentation tonight...
 
Cheers.
 


Paul Ferguson                |       Boycott AT&T,
Network Integrator           |    Write your elected
Centreville, Virginia USA    |     Representatives.
[email protected]              |    Do the right thing.
 
Just say "NO" to the Wiretap (Clipper/Capstone) Chip(s)
   I love my country, but I fear its government.