Paul Goggin sent the list a copy of Steven Fisher's letter to InfoWorld about NSA harassment for offering commercial crypto back in 1981. The NSA is supposedly a bit better behaved these days, at least in public :-), but it's no surprise. Sometime around then, they slapped patent secrecy orders on a guy who had designed an analog scrambler for CB radio; a real crypto-system must have been a much more significant threat to them. A couple of comments were interesting: One was the assertion in the letter he received from the BATF that their product, as munition, could not only not be exported, but could also not be sold to *multinational companies*. Was that the law then? Or was the BATF just a bit over-enthusiastic about what they could get away with? It's also interesting that it was the BATF. Another was that the NSA asked them to put in a trapdoor. These days, escrow is the politically correct way of implementing a trapdoor, but - I wonder if it would be possible to make a trapdoor/weak escrow system, which escrows the keys for *some* kinds of keys, enough to make the bureaucrats think it's ok, but which also has a class of keys for which the escrow is non-effective, bogus, or otherwise doesn't let the cops in, which could be revealed to users after the system has been approved and sold? Perhaps a system which requires 2**N steps to retrieve most keys from escrow, but has a small set that can be gotten quickly for demos? Could you do a system like that and hide it from the NSA for a while? Some alternative approaches would be a system that obscured the escrow (easy to build from clipper if you've got a programmable phone; you just encrypt the Wiretap Field with your session key), or worked fine with a bogus Wiretap Field, or a system where the escrow can be made ineffective administratively (either lost by the escrow agents, or requiring the participation of the telephone owner, or tampered by the owner) At the very minimum, having a system that doesn't let the NSA cheat during the escrow process would be a good start - where each part of the escrow key is really installed separately, and verifiable hardwarily-random numbers are used to seed the key generation. Since the NSA\b\b\bNIST hasn't announced their plans for how to select escrow agents, much less who they are, or how they *really* plan to set the keys, I suppose it's premature to ask them to announce what the rules will be for approval of escrow procedures or agencies or guarantee that if you follow them, you'll be allowed to export your products? :-) Bill Bill Stewart wcs@anchor.ho.att.com +1-908-949-0705 fax-4876 ROT13 public key available upon request