[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST GAK export meeting, short version

I just got back from the NIST GAK export meeting. This is
a short writeup of a summary. I'll post a longer version later
this evening or early tomorrow morning.

The meeting was hosted by Ed Roback of NIST, who quickly introduced
Mike Nelson of the White House. Mike is clearly a political guy.
His handout says: "We believe that our proposal for exportable 64-bit key
escrow encryption meets these goals [the goals of VP Gore's letter to Rep
Cantwell, July 20, 1994]." He said that the criteria describe a solution,
but not the only solution.  He said it does not preclude other
implementations in the future. He anticipates that the State Department
will issue guidance based upon these criteria in "early 1996," and that
between now and then, any product that meets the criteria will be elegible
for expidited approval. Of course, the existing (slow as molasass) process
will continue.

I asked the first questions from the floor. The two questions were:
(1) Is this meeting concerned solely with export
of software, or does it deal with controling domestic use of strong
cryptography? and (2) since the 64-bit limit was severly criticized at
the Sept meeting, why is it still needed if there is also escrow?

His answer was that there is "no intention to control domestic encryption"
and on the 64-bit issue, that the government is "not certain it will
work." he says they "want to see it implemented and want to see
how it works" because 64-bit encryption is very strong. If the escrow
doesn't work, they don't want a lot of softare to be in widespread use.

He said that they have studied the encryption that is supposed to be widely
available on the Internet. He said that viewed by crypto experts, not
much is very good. He mentioned "two incidents" where Netscape had
weak implimentations. He feels that companies will not trust software
over the 'net. that they "want the US Government to say that 'this is
good enough'."

Clint Brooks, of NSA, then went over the revised criteria. He claimed that
they were surprized at the industry concern over "one product" for
worldwide markets. There were lots of questions. He eventually admitted
that because of the "one product" concern, export regulations will effect
domestic products. [all the more reason for Netscape to keep building ten
or whatever it is.]

Brooks admitted that it is impossible to prevent multiple encryption.
Cypherpunks would do that by using PGP and then sending it using GAK.
He said "as a person, you can set up a secure communication method, and
nothing can be done about it." His concern is not that smart people can
have stronger crypto, but that strong crypto will be easy and widely used.

He said that the 64-bit key limit is not meant to restrict RSA keys to
64-bits, but rather to restrict the session keys that are encrypted using
RSA. Unspoken was the assumption that the 2000 bit RSA secret key would
have to be escrowed.

There were some interesting (and bad IMHO) implications of interoperability.
I'll cover them more in the long version. Basically, they admitted that
the interoperability restrictions made it stupid to have an export
version, you should have a strong domestic version, and an international
version developed offshore for sale to the rest of the world.

They admitted that there can be no controls over export of data, so once
interoperating software is available both domestically and from offshore
sources, there is no value in the export controlled, crippled version.

My favorite policeman, Geoff Greiveldinger, then described the
characteristics of an acceptable key escrow agent. There was a long list
of criteria, all unseen before the meeting. The general reaction
of the audience was that these were "yet another set of criteria that
must be met." Geoff claimed that they were simply trying to address
the questions raised at the earlier meeting about who is an
acceptable escrow agent. One point that caused a lot of concern
was that at least one employee of the escrow agent has to have a SECRET

Industry, with a few exceptions, soundly said that this is a dumb idea,
that there is no market, that the criteria are too hard, etc. Except
Padgett Petersen, representing Lockheed-Martin. He said that LM thought
that the criteria were just peachy. The  usual civil liberties folks
also soundly trashed it.

There was a representative from Netscape. He said that they, as a company
think this is a terrible idea. They oppose it now, and will be issuing
a company policy soon. I didn't catch his name, and couldn't find him
to get the obviously carefully prepared text. If someone from Netscape, are
you listening Jeff W? could get me the text, I'll add it to my writeup.


What I think it means:

I believe that the government deeply wants to restrict domestic use of
strong encryption, but they have no legal justification for doing so.
They can't expect that they will get it if they go to Congress. So they
are attempting an end-arround using the export criteria, which they
_do control_. They hope that the pain of having multiple versions will be
so high that no vendor will bother, and all we'll have is crippled

The usual civil liberties lobby folks (CDT, EPIC, etc.) want to
hold their own, industry sponsored meetings to develop workable systems.

I think that the real key is for everyone, worldwide to insist on
both strong crypto and interoperability. The Germans are already
writing fine software and making fast hardware. Microsoft and Netscape
can easily afford to do some of their development offshore. If the products
sell and are deployed, it won't matter what the govies want.


ps. there were a number of other cypherpunks in attendance. I hope
some will add their impressions of the day.

Pat Farrell    Grad Student      http://www.isse.gmu.edu/students/pfarrell
Info. Systems & Software Engineering, George Mason University, Fairfax, VA
PGP key available on homepage               #include <standard.disclaimer>