Interesting People mailing list archives
IP: Today's Briefing of DPSWG [crypto related]
From: Dave Farber <farber () central cis upenn edu>
Date: Fri, 04 Oct 1996 19:04:21 -0400
Date: Fri, 04 Oct 1996 18:55:42 -0400 From: Shari Steele <ssteele () eff org> Hi all. I just got back from the DPSWG briefing and found it to be very interesting. As usual, Bruce McConnell from the OMB was forthright and intelligent, but brought bad news. Here are bits and pieces from my notes. Feel free to forward this to appropriate locations. Bruce started with an overview of what the new policy would do. He commented that it is "obviously not popular with anyone in particular." The Administration apparently did Hill briefings earlier this week and was "attacked from all directions." The new policy will permit the export of commercial cryptographic products with 56-bit key lengths, DES & equivalent, even if there is no current key recovery plan in place. There will be a one-time review of the product to make sure that it's really 56-bits (NSA's role) and that there is an adequate plan for how the exporter will build key recovery into the product over the next two years. The license is only for 6 months, with 6 month renewals available upon a showing that the exporter has met the development milestones of the key recovery plan. For products that already have a key recovery system built in, there are no export restrictions based on key lengths. There are no restrictions on domestic encryption. All of these rules apply to a new category of "commercial encryption," which Bruce insisted was anything that was not specifically developed for a military application. I asked, and he responded, that the NSA's only role would be to check for 56-bit key size, that the NSA would not be prohibiting encryption that could be dual-use if it weren't militarily developed. Jurisdiction for all commercial encryption will be transferred to the Commerce Department beginning January 1. The Commerce Department will be coming out with new regs sometime this fall. They will be effective immediately on an interim basis, with reconsideration and changes pending public comment. The ITAR will only be relevant to military encryption. Bruce "doesn't believe" there'd be a CJ process any more for nonmilitary encryption. I asked if they would be reevaluating previous CJ determinations in light of these changes, and he responded that he didn't know. He wrote that question down. All encryption products will be reviewed by a six-member team, consisting of reps from State, Commerce, Defense, Energy, Arms Control Disarmament and Justice. The Administration will be seeking legislation to create penalties for the improper release of keys, and to provide protection for the proper release of keys. Under this proposal, a trusted third party is not required for holding the keys. Companies can hold their own keys if they can show that they've set it up so they will respond in a "timely manner" if the FBI shows up with a warrant. It would also be illegal to reveal to an individual that his key has been requested by the FBI. I specifically asked about how this would work for individuals, particularly researchers. Bruce responded, "No one's talking about individuals being able to do self-escrow." He expects it to be "an area of contention." He also commented that it would be hard for someone not to notify himself of a warrant. Bruce insisted that there is no government designed or promoted key recovery system out there, although the government has been working with private companies on a "dozen or so" pilots that are being developed. He said that the new policy won't do anything about people superencrypting their messages. He did give the ominous comment, "The question about interoperability requirements with nonkey recovery systems is still open." He expects that the President will sign the executive order making this "a done deal" by the end of this month. After Bruce left, people turned on the two representatives of companies that signed on to this thing. Kawiga Daguio of the American Bankers Association (who says hi to John) explained that, while they're not exactly enthusiastic about this proposal, they are being supportive because they are happy to see that the government is moving forward and putting their policy into writing. He also pointed out that his companies want to be able to read all financial transactions, so they really don't want unbreakable encryption. Ken Mendelson of Trusted Information Systems said that they are pleased that the new policy will permit them to export a key recovery system with any key length. They have one and they want to export it. He also said that they were supportive because they have finally found some common ground with the government and want to use this to improve policy without "cutting them off at the knees." Both Kawika and Ken insisted that their agreements with the government for a particular system did not sell their souls; they do not support a requirement that all systems must include key management. I think that about sums it up. Oh, a couple of friends of EFF worth noting were there -- Ken Bass, who doesn't believe this will moot the Karn case, and Bob Corn-Revere, who brought me a copy of the latest filing in the Bernstein case (it looks awesome!). I guess at this point we have to sit back and wait to see the official Executive Order and the new Commerce regs. Shari Shari Steele Staff Counsel Electronic Frontier Foundation
Current thread:
- IP: Today's Briefing of DPSWG [crypto related] Dave Farber (Oct 04)