[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netherlands crypto ban?



	In my opinion, The Netherlands will not adopt a crypto policy on their
	own, the'll do it if the EC proposes such a "thing". 

Several months ago at a security SIG meeting at OSF, a sr tech guy
from Shell gave a presentation and I went and spoke with him afterwards.
(Not being oblique, I just forget his name.)

Shell needs public key because they want to use email for legal contracts.
They've been waiting for standards to come around, but have given up.
They're currently planning on using NIST's DSS, if they can fix a few things:
    -	Add concepts of time and location (it can be important to prove
	that this was signed last month outside of the U.S.)
    -	Add re-signing with only minor increase in size
	If there are licensing issues, "just buy them off."
They don't like RSA because of the US licensing issues -- it's too hard to
prove you only have to pay for a small portion of your use, for example.
They like DSS because it explicitly does not support privacy, which is
problematic in France, especially.

He's reluctantly inventing this setup because the vendors haven't given him
a world-wide public key story yet.  (DCE 1.2 has/had some plans, and he wanted
to push our licensees to support it, at least.)

Interestingly, things have inverted and the EC (sorry, EU) is looking
for Shell to set a standard.  Several other large companies (Philips,
etc) are also going to follow whatever Shell does.  He thinks it'll be
de-facto standard in 18-24 months.

FYI.
	/r$