[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Day 2, nist GAK meeting



-----BEGIN PGP SIGNED MESSAGE-----

Date: Fri, 8 Sep 1995 09:32:43 -0400 (EDT)
From: "Pat Farrell" <[email protected]>
To: [email protected]
Cc: 
BCc: 
Subject: Day 2 NIST meeting notes
X-NUPop-Charset: IBM 8-Bit


Thursday's GAK Export meeting started with reports from the prior
afternoon's breakout meetings. I reported on the session I was in,
saying what I posted to the list yesterday (about National Semi's product,
etc.) The other breakout groups reported their problems with the
criteria, again asking that #9 be dropped, longer, keys, etc.
The presentation for Group "A" was different. It was a speach.
It asked that the process be stopped to let industry develop
market-driven solutions. It was greeted by applause from the
vendors and privacy advocates, with no reaction from the
government representatives.

Randy Williams of Commerce, and Dan Cook of State, described the
current export approval process. Lots of talk of jurisdictions
and types of liscenses. I quickly got lost in the jargon.
The moderator wisecracked that the official language of the session
was English. You couldn't tell from some of the exchanges.

They were questioned on import restrictions. Both Williams and Cook
said that there are no import restrictions into the US. They also
pointed out that Treasury, not State or Commerce, has jurisdiction over
imports.

An engineer from Compaq asked a question: He said that his company
buys liscenses to software, and bundles it as "value added" to
their systems. They are interested in bundling in security features.
He asked if his computers would then be subject to export restrictions.
The answer was yes. He asked if he could purchase security software
overseas and import it. The answer was again yes. He asked if
he could install that software on his computers, again yes. And
export the computers, NO. They didn't even seem to think that this
was illogical.

So Commerce, State, and the rest of the government are activly
encouraging the development of competing software industries in
Israel, Germany and other counrties. I hate to think what they'd
do if they tried to hurt US industry.

And interesting tidbit came up after the session. In an offline
conversation, the topic of "personal use export" came up. A
reliable source said that revised regulations are being developed,
and will, be avaialble soon. I explicitly asked if this meant
"PGP on a notebook computer" and was told, Yes, that will be allowed;
with the usual rules that it can't be for export, you can't be attempting
to sell it, etc. Personal use, carry out and carry back. The "source" was
asked if they had read Matt Blaze's personal use disaster story.
The name didn't ring a bell, but the story was well know and considered
a nightmare.

Penny Brummitt of NSA was to talk about Clipper's key escrow agents,
but called in sick. I didn't catch the name of the replacement.
He talked about Clipper's process, not as an example of what will
be required for GAK agents, but as an "existance proof" that some
agents can be found.  The essence was that Clipper escrow facilities are
strong, and staffed with people cleared to the "Secret" level. They also
tosed out the phrase "US Person" in regard to the corporate entity that is
responsible for the contract.

Geoff Greiveldinger, of the US Department of Justice, gave a frequently
inaudible recounting of the evils of strong encryption in the war
on D, P, & T, and also corrupt mayors. He was very personable. He also
sounded like a fascist. Throughout the meeting, all sides tried to
have a civil discussion, even though we disagreed. It was
impossible to stay civil through his drivel. Ruby Ridge and Furman
had been unmentionable up until his speach.

Mr. Greiveldinger said that acceptable escrow agents will be in the US.
This caused considerable concern among vendors trying to sell
in the International market.

Dan Weitzer of CDT (the EFF spinoff) gave a short, rousing speach. It
was a call to arms. He said that since NIS&T was ignoring the
consistant input from industry to stop this silly and stupid GAK, that
we need to immediately contact our congresscritters.

Ken Mendelsen [sic?] of TIS gave a great speach. He suggested that
the critera for escrow agents be the same as the form to export tanks
and other munitions. Then he showed the one page form used by State.
He argued that legislative solutions to the escrow agent approval process
will take too long and kill the effort. I'll try to get copies of his
presentation.

F.W. Gerbracht, Jr a VP Merril Lynch, represented the Securities Industry
Association. He said that they are willing to work with the government,
but they need long keys, strong ciphers, and international escrow agents.
He used the phrase "unlimited algorithms and keyspace" as a requirement.
They also need buy in from their regulators, and presented a long list
of SEC, CFT, NYSE, NASDealers, and 50 state regulators, all who have
to sign off.

Nanette DiTosto of Bankers Trust gave a short, to the point presentation.
She said that BT has a commercial key escrow service, but that was not
what she wanted to get accross. She said that multinational banks demand
strong encryption and non-US escrow agents. And that they would
settle for nothing less.

A speaker from VTW gave a nice presentation. VTW is something like
voter's telecommunications watch. They have a mailing list, at
[email protected]. He said that escrow was doomed to failure. That there
is no middle ground. I'll try to get his slides too.

Jack Wack of TECSEC gave a pitch for his shrinkwrapped product. He
said it is exportable now, they've jumped through all the hoops.
He also gave a great crack from his son. It want roughly like:
"Dad, if you own the data before you encrypt it, how come the
government says you don't own it after you encrypt it?"
It brought down the house. (if someone has a more accurate quote, please
let me have a copy).

Professor Hoffman of George Washington gave a great speach. He listed
the Al Gore to Maria Cantwell letter's criteria, as a matrix. He then
filled in the matrix with the Export GAK's criteria. It was painfully
obvious that the NIST/NSA propsal didn't come close. He recommended
that they focus closly on the Gore criteria, and come up with an
approach that meets all the the criteria.

While I planned on staying for the remainder of the meeting, a crisis
came up at my day job. I can't say I was looking forward to more,
a day and a half was enough for me, and I wasn't the only person leaving
early. Attendance was down visibly Thursday relative to the first day

Pat

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMFBGEbCsmOInW9opAQEfQgP+P/P0MRGe3EOElzM0UPQy+xce0XGe3wex
gfQdTrGWhL+FbYt/7taj6jgtcRg9zih1yQ3W+kN/VUXY9J4I1b6dw+j0sb6MkCjT
pShnflDI5OPQmmUq9KZlmy50u2yXuBqfWSdXd9NypjDsh7XDrWIqvqIcuT1cc/di
quNZ3u7aymw=
=oJC7
-----END PGP SIGNATURE-----

p.s. please let me know if this one's pgp sig is better than yesterday's

Pat Farrell      grad student        http://www.isse.gmu.edu/students/pfarrell
Infor. Systems and Software Engineering, George Mason University, Fairfax, VA
PGP key available via finger or request           #include standard.disclaimer