Background on the Administation's encryption policy announcements

[David Farber <farber () central cis upenn edu>]

Subject: for interesting people
Date: Sat, 05 Feb 94 14:23:27 -0500
From: Stephen Walker <steve () tis com>


Background on the Administation's encryption policy announcements




On Friday Feb 4 the Clinton Administration held a press conference
to announce a progress report on the interagency review of cryptography.
Their review is not finished but the following was made public:


        - approval of the Escrow Encryption Standard and thus formalization
of the Clipper key escrow process.


The EES (now FIPS 185) is the first "classified" Federal Information
Processing Standard. The standard describes two classified "R21 Informal
Technical Reports" that "will be required to assure interoperability
of EES devices." "Organizations holding an  appropriate security clearance
and entering into a Memorandum of Agreement with the National Security
Agency regarding implementation of the standard will be provided access
to the classified specifications. Inquires may be made regarding the
Technical Reports and this program to Director, National Security Agency,
Fort George G. Meade, MD 20755-6000, ATTN: R21."


This is the first time in the history of FIPS (dating back to 1965 or so)
that clearances are required to implement a federal standard. This is a
direct consequence of using a classifed algorithm and classified key escrow
procedure to protect unclassified information.


The approval of the EES was made over the nearly unanimous objections
(several hundred to two) received during the public comment period. The
rationale for why the overwhelming public comments were overruled will
most likely not be made available since it is classified.


It was announced that Clipper devices with key escrow will be able
to be exported.


When asked about the international acceptability of key escrow, the comment
was made that "little progress has been made" in discussions with other
governments that have taken place even "as little as three weeks ago".






        - procedures for export control of already exportable
cryptographic products will be relaxed.


However, there will be no change in what can and cannot be exported.
If your product cannot be exported today, it will not be able to be
exported tomorrow.


Apparently the growing body of information concerning the foreign
availability of DES and related products and the ease with which
other countries allow the export of DES products has, thus far, had no
influence on government policy makers.






        - details on key escrow agents (NIST and Treasury (it seemed
important to someone to point out that neither of these were "law
enforcement" related agencies)) and key escrow procedures were announced.






        - establishment of an interagency working group on encryption and
telecommunication policy.






        - a decision not to proceed with the licensing of the Digital
Signature Algorithm to Public Key Partners, a proposal put forward last
June which met with another overwhelming public (including foreign
governments) condemnation.


Apparently the fact that this exclusive licensing would be at considerable
cost to the public is now viewed as not in the government's best interest.


Unfortunately, little was said about what would happen to the Digital
Signature Standard. The government will proceed down three paths:


   - attempting to negotiate a deal with Public Key Partners,
   - resorting to "other legal" approaches, and/or
   - defining a new algorithm for the DSS.


When asked if these alternatives would take a long time to resolve, the
answer was the government expects this matter to be resolved quickly.








Nothing in all that was announced at the conference was other than
voluntary for the general public.