Interesting People mailing list archives
FIRP report comments -- forward to your lists if you wish
From: David Farber <farber () central cis upenn edu>
Date: Tue, 15 Feb 1994 17:23:20 -0500
Date: Tue, 15 Feb 94 17:12:30 -0500 From: Stephen D Crocker <crocker () tis com> These are the meat of the comments I've supplied in response to the draft FIRP report. Response to the Draft Report of the Federal Internetworking Requirements Panel (FIRP), 14 January 1994 Part 1: Strategic Comments Stephen D. Crocker Vice President, Trusted Information Systems, Inc. IETF Security Area Director 15 February 1994 INTRODUCTION "The Federal Internetworking Requirements Panel (FIRP) was established by the National Institute of Standards and Technology (NIST) to reassess federal requirements for open systems networks and to recommend policy on the [U.S.] Government's use of networking standards." [Preface, para 1.] The FIRP report describes the need for the U.S. Federal Government to embrace not only the OSI protocol suite but also the ubiquitous TCP/IP Protocol Suite. In fact, Internet Standards, which include the TCP/IP Protocol Suite, are in very wide use in the Government, throughout the U.S. and throughout the world. Some OSI products and systems exist, and it may be impossible to switch completely to TCP/IP-based systems. Nonetheless, the report says, it is time to acknowledge the widespread use of the Internet Standards and give formal sanction to their use in the Government. This is indeed a welcome change, and it should help the Government take better advantage of modern data networking. This memo is the first of two responses to the report. In this memo, some issues are raised with respect to the recommendations in the FIRP report, and suggestions are made for avoiding problems in the future. In the other memo, comments are given with respect to specific sections of the report. STRATEGIC COMMENTS This panel was convened in response to a divergence between the strategy the U.S. Federal Government had been following for several years and the direction of the marketplace. As the report makes clear, the divergence had become so great that the policy no longer reflected attainable objectives. The accommodation of the Internet Standards brings policy into line with widespread practice and removes obstacles for rational management decisions in the future. In this light, it's worth examining the recommendations to ascertain if they are sufficient to avoid similar problems in the future. As with any large organization, the U.S. Federal Government pursues multiple policy objectives and has ingrained organizational imperatives. Recommendations that respond only to the current marketplace without also anticipating the future or without including the flexibility to follow the lead of the marketplace may lead to the convening of a similar panel in the not too distant future. The FIRP report makes five recommendations: 1. The role of oversight and integration across federal agency internetworking activities should be strengthened within the Office of Management and Budget. 2. The roles and responsibilities for fostering standards and assessing technological change should be refocused and strengthened by the Department of Commerce. 3. The roles and responsibilities for infrastructure development and operations to support all internetworking services from advanced research and development to leading edge to core/commodity services should be clearly defined and formally assigned through the Information Infrastructure Task Force. 4. The roles and responsibilities of affinity groups should be defined, including how they are created and coordinated by the Government Information Technology Services working group. 5. In accordance with OMB Circular A-119, Revised October 1992, voluntary standards should be adopted and used by Federal agencies, and international standards should be considered in the interests of promoting trade. The current GOSIP policy should be modified by the Department of Commerce to reflect the wider range of international voluntary standards for internetworking. Recommendation 1 asks that OMB's role be strengthened. OMB has the charter to review the roles, responsibilities and performances of the various agencies which provide, develop or guide the U.S. Government's internetworking activities. This is an important role. The OMB should develop guidelines for measuring the performance of the assigned agencies and the attainment of the overall objectives. Although there is usually a preference to avoid duplication of activities, some degree of competition, exploration of alternative strategies and comparison of results is desirable because it tends to produce more cost effective products and services that are better matched to the needs of the users. Wherever feasible, the OMB should also foster multiple approaches and/or participation by multiple agencies in order to provide for maximum feedback within the system. Recommendation 2 suggests the Department of Commerce be tasked with new responsibility for "fostering standards." Presumably the context of this recommendation is with respect to internal standards within the U.S. Government. The general arena for developing Internet Standards is the Internet Engineering Task Force (IETF) which operates in conjunction with the Internet Architecture Board (IAB) under the auspices of the Internet Society. The Internet Society, along with NSF, ARPA, DOE and NASA, provide considerable financial support to the standards activities. This process enjoys wide spread support form the industrial, academic and government communities, and as a result, the standards developed in this arena reflect the needs of marketplace and are usually adopted widely and quickly. Even if this recommendation is understood to be limited to refer to internal use of the U.S. Government, the recommendation is flawed. "Department of Commerce" here certainly includes NIST, but is likely to include other parts of the Department. While NIST is indeed the federal agency tasked with promoting and developing standards, NIST and the rest of the Department have at least two difficulties to overcome. First, NIST has been the lead agency with respect to GOSIP. NIST personnel are deeply knowledgeable about the OSI suite and less familiar with the TCP/IP Protocol Suite. NIST is not now in a position to provide leadership in this area, although it does have the technical strength to follow, assist and participate in the ongoing standards activities. One challenge for NIST in the next few years will be to strengthen its staff and adjust its direction to move toward a stronger involvement in the Internet Standards activities. A significant part of this challenge is working in a standards arena in which the U.S. Government does not have de jure authority or veto power. Second, the Department of Commerce is heavily committed to a particular strategy with respect to cryptography that is currently in conflict with the forces in the marketplace. NIST is the lead agency involved in the promulgation of the Digital Signature Standard (DSS) and the "Clipper" escrowed-key encryption system. Both of these initiatives are meeting very strong resistance from industry and academia. The RSA algorithm is the de facto standard for signatures and key exchange, and some form of DES and/or some proprietary algorithms, e.g. RC2 and RC4, are likely to be the de facto standards for bulk encryption. The U.S. Government's orientation toward cryptography comes from the specific concerns of the intelligence and law enforcement agencies. While not denying the principle that the intelligence and law enforcement agencies have legitimate concerns, it is far from clear that the approach being taken by the Department in support of these concerns will be successful. In fact, it is entirely possible these initiatives will not succeed in the marketplace. If so, the result will be the existence of dual standards in which the Government algorithms will be used only under duress, both the Government and the general population will bear unnecessary costs dealing with dual standards, the introduction of strong security controls will be retarded, and the intelligence and law enforcement agencies will not succeed in preventing the use of strong encryption, except in so far as they succeed in retarding the use of encryption altogether. On February 4, 1994, the Department announced it had made substantial progress in its review of policies governing cryptography. Its announced that export controls on DES and similar cryptography will remain in place, that the Department will continue to promulgate the Digital Signature Standard despite uncertainties about the patent and licenses, and it will adopt the escrowed encryption system (Clipper) as a Government standard. Nothing in the public record supports these decisions, and it was made clear that these decisions are driven by the views of the law enforcement and intelligence agencies. The purpose of citing these controversies concerning cryptography policy here is to explicate a consequence relevant to the FIRP report. The Commerce Department, and in particular NIST, have a conflict of interest. Like a lawyer with two clients with intertangled interests, the Department is trying to serve two constituencies. One constituency is the federal government as a whole, and in that role, it must do the best job it can of interpreting the market forces and adopting federal standards that are consistent with the marketplace. The Department's other constituency is the particular needs of the law enforcement and intelligence agencies. Those agencies desire to influence and change the direction of the marketplace. In service of this role, NIST is adopting federal standards that reflect the direction the law enforcement and intelligence agencies want the market to go. The only way for the Department to be successful is if the law enforcement and intelligence agencies prevail and the marketplace adopts the standards the Government is promulgating. Perhaps this will happen, and if so, the Government's gamble will pay off. However, if the marketplace continues to adopt RSA as the preferred public key algorithm, if DES and other non-escrowed algorithms are used for symmetric key encryption, and if products with encryption are become prevalent in non-U.S. markets, not only will the stated goals of the law enforcement and intelligence communities be lost, the rest of the federal government and indeed the rest of the country will have paid the price in struggling with dual standards. Like a stubborn child with a tensed jaw, the U.S. Government seems bent on pressing forward with these initiatives. So be it. But in handing out accolades because NIST is now willing to accommodate the protocols that have been commonplace for many years, it's fair to note that NIST and the rest of the Department are engaged in an exercise which promises to bring a repeat of the same divergence, confusion and waste of resources which the FIRP report documents. Recommendation 3 suggests that each role and responsibility should be tasked to some specific agency. Apparently this is aimed at reducing duplication. While useful in principle, this approach is fragile. If the assigned agencies are incompetent or inefficient, everyone suffers. The report does suggest that some assignments may be decentralized. Decentralization should be emphasized. Wherever possible, multiple approaches and multiple agencies should be encouraged. Competition and comparison are enormously useful forces. As noted above with respect to recommendation 1, the OMB should encourage as much decentralization as possible and should oversee the agencies establishing a means of measuring the results. Recommendations 4 and 5 are oriented toward implementation of the first three recommendations and raise fewer strategic concerns except that recommendation 5 implicitly acknowledges that the role of the U.S. Government in the standards process shift from one of controlling the process to one of participating in the process. As noted above with respect to recommendation 2, this shift poses an institutional challenge for the Government in general and NIST in particular.
Current thread:
- FIRP report comments -- forward to your lists if you wish David Farber (Feb 15)