CSSPAB Resolutions

[David Farber <farber () central cis upenn edu>]

> September 3, 1993
>
> MEMORANDUM FOR Members of the Computer System Security and
>               Privacy Advisory Board
>
> > From:  Ed Roback, Acting Board Secretary
>
> Subject:  September 1993 Resolutions
>
> Attached for your information are the two resolution passed by
> the Board yesterday.  Please let me know if you find any errors
> or disagreements with this text.   Thank you.  
>
> Attachments
>
> - ------------------------
>
> NON-CERTIFIED TEXT
>
>
>       COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
>
>                         RESOLUTION 93-5
>
>                       September 1-2, 1993
>
>
> Subsequent to the June 2-4, 1993 meeting of the CSSPAB, the Board
> has held an additional 4 days of public hearings and has
> collected additional public input.
>
> The clear message is that the preliminary concerns stated in
> Resolution 1 of that date have been confirmed as serious concerns
> which need to be resolved.
>
> Public input has heightened the concerns of the Board to the
> following issues:
>
>     -    A convincing statement of the problem that Clipper
>          attempts to solve has not been provided. 
>
>     -    Export and import controls over cryptographic products
>          must be reviewed.  Based upon data compiled from U.S.
>          and international vendors, current controls are
>          negatively impacting U.S. competitiveness in the world
>          market and are not inhibiting the foreign production
>          and use of cryptography (DES and RSA).
>
>     -    The Clipper/Capstone proposal does not address the
>          needs of the software industry, which is a critical and
>          significant component of the National Information
>          Infrastructure and the U.S. economy.
>
>     -    Additional DES encryption alternatives and key
>          management alternatives should be considered since
>          there is a significant installed base.  
>
>     -    The individuals reviewing the Skipjack algorithm and
>          key management system must be given an appropriate time
>          period and environment in which to perform a thorough
>          review.  This review must address the escrow protocol
>          and chip implementation as well as the algorithm
>          itself.    
>
>     -    Sufficient information must be provided on the proposed
>          key escrow scheme to allow it to be fully understood by
>          the general public.  
>
>     -    Further development and consideration of alternatives
>          to the key escrow scheme need to be considered, e.g.,
>          three "escrow" entities, one of which is a non-
>          government agency, and a software based solution.  
>
>     -    The economic implications for the Clipper/Capstone
>          proposal have not been examined.  These costs go beyond
>          the vendor cost of the chip and include such factors as
>          customer installation, maintenance, administration,
>          chip replacement, integration and interfacing,
>          government escrow system costs, etc.  
>
>     -    Legal issues raised by the proposal must be reviewed.
>
>     -    Congress, as well as the Administration, should play a
>          role in the conduct and approval of the results of the
>          review.  
>
> Moreover, the following are additional concerns of the Board:
>
>     -    Implementation of the Clipper initiative may negatively
>          impact the availability of cost-effective security
>          products to the U.S. Government and the private sector;
>
>     and
>
>     -    Clipper products may not be marketable or usable
>          worldwide.
>
>     
> FOR:      Castro, Gangemi, Lambert, Lipner, Kuyers, Philcox,
>          Rand, Walker, Whitehurst, and Zeitler
>
> AGAINST:  none
>
> ABSTAIN:  Gallagher
>
> ABSENT:   Colvin
> - --------------------------------
> NON-CERTIFIED TEXT
>
>
>       COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
>
>                         RESOLUTION 93-6
>
>                       SEPTEMBER 1-2, 1993
>
> The Board believes that in deciding cryptographic policies and
> standards in the U.S., there is a compelling need to consider and
> evaluate the concerns listed below.  We, therefore, endorse the
> process being pursued by the administration in the form of an
> interagency review but believe the scope of that review needs to
> include adequate industry input.  We reaffirm our recommendation
> (of March 1992) that the issues surrounding this policy be
> debated in a public forum.  In view of the worldwide significance
> of these issues the Board believes that the Congress of the U.S.
> must be involved in the establishment of cryptographic policy.  
>
> The Board, furthermore, believes that there are a number of
> issues that must be resolved before any new or additional
> cryptographic solution is approved as a U.S. government standard:
>
>     1.   The protection of law enforcement and national security
>          interests;
>
>     2.   The protection of U.S. computer and telecommunication
>          interests in the international marketplace; and 
>
>     3.   The protection of U.S. persons' interests both
>          domestically and internationally. 
>
> FOR:      Castro, Gallagher, Gangemi, Lambert, Lipner, Kuyers,
>          Philcox, Rand, Walker, Whitehurst, and Zeitler
>
> AGAINST:  none
>
> ABSTAIN:  none
>
> ABSENT:   Colvin




...................................................................
          **** NOTE NEW STREET ADDRESS AND PHONE #s ****


Daniel J. Weitzner, Senior Staff Counsel
Electronic Frontier Foundation
1001 G St, NW
Suite 950 East
Washington, DC 20001
202-347-5400 (v) 
202-393-5509 (f)