Interesting People mailing list archives
IP: HP-Intel-Microsoft Crypto Announcement
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 24 Nov 1996 22:14:34 -0500
Date: Sun, 24 Nov 96 21:43:47 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () cis upenn edu Subject: HP-Intel-Microsoft Crypto Announcement I also attended the Hewlett-Packard/Intel/Microsoft announcement, and I thought it might be useful to offer a slightly different perspective from Ross Stapleton-Gray's and Declan McCullagh's notes. It's understandable, given the coincidence of the two events, that Ross and Declan saw the announcement as tied to the government's key recovery initiative, but I think they may have been led astray by the timing. As I understand it, the HP framework is not so much an embrace of government regulation in this field as a recognition by some major companies that governments simply are not going to get out of the business of regulating encryption soon, or at least not soon enough for the people who want to build a secure global network right now. I see the announcement as an effort by business to sidestep the policy debate, to say to the politicians, "Whatever crypto policy you decide to adopt, this system will work with it." So, in my view, the HP technology is significant mainly for its flexibility rather than for supporting key recovery or any other particular policy. It allows PC manufacturers to build into their products virtually any form of encryption that a user could want and to ship those products around the world without falling afoul of export controls or domestic regulations on encryption.
From a security point of view, this is important because it allows
commoditization of security hardware. One of the reasons why encryption hardware has not spread is that individualized licensing and local restrictions make it imprudent to include hardware security as a standard feature in PCs aimed at mass markets. The HP system has safeguards that have evidently persuaded governments that they can allow mass market sales of hardware encryption without giving up their current regulatory authority. What does this mean for the government's key escrow policy? First, as we heard at the news conference, HP's system will run the TIS commercial key recovery system (and presumably the CertCo./Bankers Trust system as well). So it will make key recovery products available to buyers. But it will also run 40-bit encryption, DES, and other strong algorithms without escrow. The customer decides what crypto to use; the framework doesn't favor one of those technologies over the other, except that it allows customers to buy strong key-recovery crypto today with the knowledge that the hardware won't become obsolete tomorrow if government policies change and something more attractive comes along. As a separate point, I'm not sure Declan is right to call this vaporware. The basic hardware has been available for a while. (I saw an early demo a few years ago.) It sounds as though the R&D is done; all that remains is engineering, and maybe not too much of that.
Current thread:
- IP: HP-Intel-Microsoft Crypto Announcement Dave Farber (Nov 24)