[5640] in cryptography@c2.net mail archive
Re: US encryption announcement: Business as usual
daemon@ATHENA.MIT.EDU (Greg Broiles)
Fri Sep 17 10:56:58 1999
Message-Id: <4.2.0.58.19990917070242.00b654a0@mail.wenet.net>
Date: Fri, 17 Sep 1999 07:11:01 -0700
To: Bill Stewart <bill.stewart@pobox.com>, cryptography@c2.net
From: Greg Broiles <gbroiles@netbox.com>
In-Reply-To: <3.0.5.32.19990917005147.00a4cda0@idiom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 12:51 AM 9/17/99 , Bill Stewart wrote:
>In the absence of technical constraints, it's hard to tell what
>the technical review could be reviewing - we're being told to believe
>that we're allowed to export full-strength crypto,
>and there aren't requirements for key compromise,
>and "works in North Korea" isn't a technical requirement,
>just a customer-destination one.
Some (anecdotal) information on this topic is available from Microsoft, as
part of their discussion of the NSAKEY discovery - they claim they were
forced to adopt that peculiar two-key architecture in order to comply with
the NSA's rules for what's exportable.
Assuming Microsoft is telling the truth about this - and we've had several
big names weigh in on behalf of Microsoft's good faith and credibility - we
can conclude that, in some cases, the NSA wants to not only review the
technical specs, but make substantitve design modifications with
considerable security implications prior to granting their approval.
I think there are some serious due process problems with requiring review
according to unpublished secret unrevewable standards prior to exercise of
a constitutional right, but that's just me.
I'm sure we'd all be pleased to hear more details from either Microsoft or
NSA about this process, as it's apparently still an important one, even in
these days of "liberalization".
--
Greg Broiles
gbroiles@netbox.com
PGP: 0x26E4488C
