Interesting People mailing list archives
CSSPAB Resolutions
From: David Farber <farber () central cis upenn edu>
Date: Tue, 7 Sep 1993 08:59:30 -0500
September 3, 1993 MEMORANDUM FOR Members of the Computer System Security and Privacy Advisory BoardFrom: Ed Roback, Acting Board SecretarySubject: September 1993 Resolutions Attached for your information are the two resolution passed by the Board yesterday. Please let me know if you find any errors or disagreements with this text. Thank you. Attachments - ------------------------ NON-CERTIFIED TEXT COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 93-5 September 1-2, 1993 Subsequent to the June 2-4, 1993 meeting of the CSSPAB, the Board has held an additional 4 days of public hearings and has collected additional public input. The clear message is that the preliminary concerns stated in Resolution 1 of that date have been confirmed as serious concerns which need to be resolved. Public input has heightened the concerns of the Board to the following issues: - A convincing statement of the problem that Clipper attempts to solve has not been provided. - Export and import controls over cryptographic products must be reviewed. Based upon data compiled from U.S. and international vendors, current controls are negatively impacting U.S. competitiveness in the world market and are not inhibiting the foreign production and use of cryptography (DES and RSA). - The Clipper/Capstone proposal does not address the needs of the software industry, which is a critical and significant component of the National Information Infrastructure and the U.S. economy. - Additional DES encryption alternatives and key management alternatives should be considered since there is a significant installed base. - The individuals reviewing the Skipjack algorithm and key management system must be given an appropriate time period and environment in which to perform a thorough review. This review must address the escrow protocol and chip implementation as well as the algorithm itself. - Sufficient information must be provided on the proposed key escrow scheme to allow it to be fully understood by the general public. - Further development and consideration of alternatives to the key escrow scheme need to be considered, e.g., three "escrow" entities, one of which is a non- government agency, and a software based solution. - The economic implications for the Clipper/Capstone proposal have not been examined. These costs go beyond the vendor cost of the chip and include such factors as customer installation, maintenance, administration, chip replacement, integration and interfacing, government escrow system costs, etc. - Legal issues raised by the proposal must be reviewed. - Congress, as well as the Administration, should play a role in the conduct and approval of the results of the review. Moreover, the following are additional concerns of the Board: - Implementation of the Clipper initiative may negatively impact the availability of cost-effective security products to the U.S. Government and the private sector; and - Clipper products may not be marketable or usable worldwide. FOR: Castro, Gangemi, Lambert, Lipner, Kuyers, Philcox, Rand, Walker, Whitehurst, and Zeitler AGAINST: none ABSTAIN: Gallagher ABSENT: Colvin - -------------------------------- NON-CERTIFIED TEXT COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 93-6 SEPTEMBER 1-2, 1993 The Board believes that in deciding cryptographic policies and standards in the U.S., there is a compelling need to consider and evaluate the concerns listed below. We, therefore, endorse the process being pursued by the administration in the form of an interagency review but believe the scope of that review needs to include adequate industry input. We reaffirm our recommendation (of March 1992) that the issues surrounding this policy be debated in a public forum. In view of the worldwide significance of these issues the Board believes that the Congress of the U.S. must be involved in the establishment of cryptographic policy. The Board, furthermore, believes that there are a number of issues that must be resolved before any new or additional cryptographic solution is approved as a U.S. government standard: 1. The protection of law enforcement and national security interests; 2. The protection of U.S. computer and telecommunication interests in the international marketplace; and 3. The protection of U.S. persons' interests both domestically and internationally. FOR: Castro, Gallagher, Gangemi, Lambert, Lipner, Kuyers, Philcox, Rand, Walker, Whitehurst, and Zeitler AGAINST: none ABSTAIN: none ABSENT: Colvin
................................................................... **** NOTE NEW STREET ADDRESS AND PHONE #s **** Daniel J. Weitzner, Senior Staff Counsel Electronic Frontier Foundation 1001 G St, NW Suite 950 East Washington, DC 20001 202-347-5400 (v) 202-393-5509 (f)
Current thread:
- CSSPAB Resolutions David Farber (Sep 07)