At 11:11 AM 3/26/96 -0500, Adam Shostack wrote:
Timothy C. May wrote:
| My point is that I see no compelling legislation that is needed. If enough | people in Washington really want increased length in _exported products_ | (remember the "exported" part), the Congress and the President should find | it easy enough to get said products on to the Approved List. (I note that | the Leahy Bill really doesn't change this system anyway...some products go | on the list, some don't...the law only seems to say that when the horse has | already left the barn, i.e., when "comparable" products are already in | fairly wide use outside the U.S., then the products should be put on the | approved list. Big deal.
I'm forced to disagree on this point. I think that the comparable product has the potential to be a very big deal; it means that any product using IDEA or 3DES may become exportable, because such products are available outside the US.
It may be that wide use will be quibbled over, but DES, weak as it is, is widely used outside the US, and IDEA and 3DES will be. Thats why this legistlation will fail to pass.
I think Tim already pointed out that the danger in this kind of conditional approval is that it would be used to restrict export of new _usages_ for cryptography based on their "political correctness" quotient, rather than simply on the basis of level of security (length of codes.) In other words, just because a program used 3DES or IDEA would not automatically make it exportable. This may sound pessimistic, but unfortunately pessimistic turns into "accurate" far too often. Far more acceptable (and useful to us) would be a rule which would mandate the government's allowing the export of any program that had, say, the key security provided by IDEA or less, regardless of what it did with that encryption. (Not that I want _any_ restrictions; it's just that such a limit would make it impractically large to attempt to crack.) Jim Bell jimbell@pacifier.com