[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Key Recovery is Bad for US Security
Here is a copy of an email I sent to the senior senator from California
I am extremely disturbed to read your comments in favor of mandatory "key
recovery". Besides being a disaster for American software companies, and a
clear violation of the constitution's protections of freedom of speech,
these systems are harmful to the security of the United States.
All cryptographic systems are extremely difficult to get right. The SSL
protocol developed by Netscape Inc., which doesn't provide for "key
recovery", went through three versions before the major problems were
removed. "Key recovery" systems are, as Professor Dorothy Denning
testified, much more complex than similar systems which do not include that
feature. In fact, the key recovery system built into Clipper, with the
advice of the National Security Agency, had flaws as documented by Matt
Blaze of AT&T Bell Laboratories. If the best cryptographic group in the
world can't get it right, how can we expect these systems to be secure.
What do we risk with insecure systems? We risk compromising the legitimate
secrets of non-classified government agencies, including IRS records;
United States companies, including delicate international negotiations; and
individual Americans, including their medical records. Even worse, if some
group should decide to launch an information war attack on the United
States, these flaws may allow them to access sensitive systems in the
finance, transportation, and energy sectors. One simple way this attack
could occur is if the access codes are distributed using a flawed
I hope you will reconsider your stand on this issue.
William S. Frantz
16345 Englewood Ave.
Los Gatos, Ca 95032
Capability Security Architect - Electric Communities
Bill Frantz Electric Communities
Capability Security Guru 10101 De Anza Blvd.
[email protected] Cupertino, CA 95014