I just got back from the NIST GAK export meeting. This is a short writeup of a summary. I'll post a longer version later this evening or early tomorrow morning. The meeting was hosted by Ed Roback of NIST, who quickly introduced Mike Nelson of the White House. Mike is clearly a political guy. His handout says: "We believe that our proposal for exportable 64-bit key escrow encryption meets these goals [the goals of VP Gore's letter to Rep Cantwell, July 20, 1994]." He said that the criteria describe a solution, but not the only solution. He said it does not preclude other implementations in the future. He anticipates that the State Department will issue guidance based upon these criteria in "early 1996," and that between now and then, any product that meets the criteria will be elegible for expidited approval. Of course, the existing (slow as molasass) process will continue. I asked the first questions from the floor. The two questions were: (1) Is this meeting concerned solely with export of software, or does it deal with controling domestic use of strong cryptography? and (2) since the 64-bit limit was severly criticized at the Sept meeting, why is it still needed if there is also escrow? His answer was that there is "no intention to control domestic encryption" and on the 64-bit issue, that the government is "not certain it will work." he says they "want to see it implemented and want to see how it works" because 64-bit encryption is very strong. If the escrow doesn't work, they don't want a lot of softare to be in widespread use. He said that they have studied the encryption that is supposed to be widely available on the Internet. He said that viewed by crypto experts, not much is very good. He mentioned "two incidents" where Netscape had weak implimentations. He feels that companies will not trust software over the 'net. that they "want the US Government to say that 'this is good enough'." Clint Brooks, of NSA, then went over the revised criteria. He claimed that they were surprized at the industry concern over "one product" for worldwide markets. There were lots of questions. He eventually admitted that because of the "one product" concern, export regulations will effect domestic products. [all the more reason for Netscape to keep building ten or whatever it is.] Brooks admitted that it is impossible to prevent multiple encryption. Cypherpunks would do that by using PGP and then sending it using GAK. He said "as a person, you can set up a secure communication method, and nothing can be done about it." His concern is not that smart people can have stronger crypto, but that strong crypto will be easy and widely used. He said that the 64-bit key limit is not meant to restrict RSA keys to 64-bits, but rather to restrict the session keys that are encrypted using RSA. Unspoken was the assumption that the 2000 bit RSA secret key would have to be escrowed. There were some interesting (and bad IMHO) implications of interoperability. I'll cover them more in the long version. Basically, they admitted that the interoperability restrictions made it stupid to have an export version, you should have a strong domestic version, and an international version developed offshore for sale to the rest of the world. They admitted that there can be no controls over export of data, so once interoperating software is available both domestically and from offshore sources, there is no value in the export controlled, crippled version. My favorite policeman, Geoff Greiveldinger, then described the characteristics of an acceptable key escrow agent. There was a long list of criteria, all unseen before the meeting. The general reaction of the audience was that these were "yet another set of criteria that must be met." Geoff claimed that they were simply trying to address the questions raised at the earlier meeting about who is an acceptable escrow agent. One point that caused a lot of concern was that at least one employee of the escrow agent has to have a SECRET clearence. Industry, with a few exceptions, soundly said that this is a dumb idea, that there is no market, that the criteria are too hard, etc. Except Padgett Petersen, representing Lockheed-Martin. He said that LM thought that the criteria were just peachy. The usual civil liberties folks also soundly trashed it. There was a representative from Netscape. He said that they, as a company think this is a terrible idea. They oppose it now, and will be issuing a company policy soon. I didn't catch his name, and couldn't find him to get the obviously carefully prepared text. If someone from Netscape, are you listening Jeff W? could get me the text, I'll add it to my writeup. ****************** What I think it means: I believe that the government deeply wants to restrict domestic use of strong encryption, but they have no legal justification for doing so. They can't expect that they will get it if they go to Congress. So they are attempting an end-arround using the export criteria, which they _do control_. They hope that the pain of having multiple versions will be so high that no vendor will bother, and all we'll have is crippled software. The usual civil liberties lobby folks (CDT, EPIC, etc.) want to hold their own, industry sponsored meetings to develop workable systems. I think that the real key is for everyone, worldwide to insist on both strong crypto and interoperability. The Germans are already writing fine software and making fast hardware. Microsoft and Netscape can easily afford to do some of their development offshore. If the products sell and are deployed, it won't matter what the govies want. Pat ps. there were a number of other cypherpunks in attendance. I hope some will add their impressions of the day. Pat Farrell Grad Student http://www.isse.gmu.edu/students/pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include <standard.disclaimer>