U.S. Council, Clipper Chip and export control meetings last week

[David Farber <farber () central cis upenn edu>]

Date: Tue, 3 May 94 14:10 EST
From: "Robert S. Powers" <0002728164 () mcimail com>


Last Tuesday (26Ap94) I was part of a delegation of the U. S.
Council for International Business, to address issues associated
with the Clipper Chip proposal and export control rules and
legislation. The delegation held separate meetings with:


 - Ray Kammer; Deputy Director, NIST
   Lynn McNulty; head of a cryptology group at NIST


 - Mike Nelson; OSTP, and VP Gore's chief technology advisor


 - Brad Gordon; Staff Director, Subcommittee on International
     Operations, Committee on Foreign Affairs, US House of
     Representatives


The delegation included:


Ed Regan, VP, Chemical Bank
William Whitehurst, IBM
Don Gilbert, American Petroleum Institute
Jill Oliver, J.P. Morgan
Nanette diTosto, U.S. Council on International Business
Yours Truly


In all the meetings, the delegation stressed that its focus was
on the international impacts of the proposed Clipper Chip and the
existing and proposed export policies, not on the privacy aspects
of Clipper.


NIST
----
My impression was that the NIST folks are truly interested in
getting to reasonable answers/policies rather than taking
absolute positions. They clearly recognize the potential
opposition of foreign governments, to Clipper.


Kammer stressed that Clipper is a *voluntary* Federal Information
Processing Standard (FIPS), and is not mandatory even for federal
agencies, let alone for the general public. Most people's
understanding, based on previous hints from the FedGov, is that
Clipper/Capstone would be mandatory for FedGov agencies. Kammer
confirmed that this Administration, at least, has no intent to
outlaw the use of other encryption algorithms in the United
States. (But of course, who can speak for future
Administrations?)


Kammer expressed some interest in the idea of using escrow agents
internal to U.S. corporations, for phones used by those
corporations, on the generally accepted assumption that such
escrow agents would cooperate with law enforcement agencies that
came to them with court orders. But law enforcement agencies
might not like this option.


The current Administration position on export controls is that
there should be no change in the current policy of strict control
on encryption export, based on the conclusion that encryption is
"weaponry." There is the possibility of creating an interagency
working group to advise on how to keep up with technology.


The possibility of working through ITU on international issues
associated with Clipper was also discussed, as well as
recognition that it would be useful to find ways for the
government and private industry to work toward an agreed upon
balance between individual privacy and the ability of law
enforcement to intercept conversations.


When the already wide availability of DES was pointed out, Kammer
suggested that modern computers have the power to crack DES-
encrypted messages too easily, and predicted that five years from
now NIST will no longer be certifying DES.


Also discussed was the Administration's interest in the Digital
Signature Algorithm -- DSA. The major objection to DSA, as
compared to the currently widely accepted RSA signature process,
is that DSA can ONLY be used for the signature validation
process; and some OTHER algorithm must be installed and used for
encryption of the associated message. RSA can be used for both
text and digital signatures, although because of RSA's high
processing requirements other algorithms are typically used for
encrypting very large text files.


Kammer is not absolutely wedded to the DSA standard, provided
some other proposal meets the performance requirements.




Mike Nelson, OSTP
-----------------
Ed Regan is the US Council's representative to the International
Chamber of Commerce, which is working up a position paper on
international encryption policy, to be completed this month
(May). The need for the paper is based on the recognition, with
which Mike agrees, that to make Clipper or a similar scheme
viable, it must be made international. He wants a briefing on the
ICC paper, when available.


Mike plans an invitation-only conference on encryption issues,
in about a month from now. He stressed that the Administration
DOES want people and businesses to have encryption available, but
with the proviso that law enforcement agencies can decrypt it.


The Administration is willing to consider, and he says that it is
considering, alternatives to the proposed escrow process,
including the possibility of using escrow agents internal to U.S.
corporations.


His argument about controlling the export of DES and other
encryption software is based on the observation that the U.S.
controls about 90% (he says) of the world's software market.
Forbidding exporting encryption in that mass of software is very
effective in cutting down the use of encryption by criminals and
terrorists around the world; and if we allowed export of the
encryption it would be widely implemented in that 90% of the
software market. And, he points out, it's not just the US
government, but also foreign governments, that don't want that
result.


As to the digital signature algorithm: a major goal of the
Administration is to develop and implement a royalty-free digital
signature algorithm, which RSA is not.




Brad Gordon
-----------
This meeting focussed entirely on export controls, not on
Clipper.


The bill introduced by Maria Cantwell, which proposes relaxation
of export controls on encryption, is very unlikely to pass, as
drafted, Mr. Gordon believes. He stressed that what the NSA and
Congress need from industry is a well-supported compromise
position on encryption exports. For example, would industry be
satisfied with the ability to export encryption hardware/software
to OECD countries only? He suggested working closely with the
intelligence community, while recognizing that the intelligence
folks could not and would not expose many of their reasons for
feeling so strongly about export controls.


Bill Whitehurst outlined a "traffic light" proposal, from NSA.
Red, yellow and green lights (for export authority) would be
determined on the basis of both the country and the industry
being considered for export permission.


                         ---   end   ---