-----BEGIN PGP SIGNED MESSAGE----- On 22 Feb 96, John Young wrote and quoted Steve Walker:
To supplement TIS's Web site information on CKE, here's a mailing from Steve Walker earlier this month:
TRUSTED INFORMATION SYSTEMS, INC.
February 2, 1996
There has been amazing progress on TIS's Commercial Key Escrow (CKE) initiative since my last status report.
<groan>
By adding CKE technology to our firewalls, the Gauntlet system with DES and CKE now meets the U.S. government requirements for export to most parts of the world.
Oh, goody!
While this temporary export license has limitations (there must be a Data Recovey Center in the U.S....
It's GAK (GAK!). Instead of one arm of the government supposedly holding keys safe from unauthorized access by another arm of the government, it will be a duly approved, registered, regulated repository holding keys safe from unauthorized access by an arm of the government. Just like banks protect customers' funds and privacy... Gee! It sure sounds like utopia to me... utopia for government. Does anyone know of ANY regulated industry that exists at the pleasure of the government that also strenuously defends its customers' rights against government efforts? I think not.
...it represents the first export approval of a DES-based key escrow encryption system, a small step...
...backward.
...the private sector's need for encryption protection and governments' needs to be able to decrypt the communications of criminals, terrorists, and other adversaries...
There is no difference between the justification for this and what was offered to justify Clipper. "Other adversaries," like those who want to keep their affairs private, or wish to live free in an increasingly unfree world? I think I'm gonna puke.
Other meetings will follow, but it appears that most major governments endorse the U.S. government's user-controlled key escrow initiative as the only practical way through the cryptography maze.
I AM gonna puke. Of COURSE most governments will go for this! The practical effect is essentially the same as if all paper mail were to be machine-copied and archived, only accessible with a "proper court order." Even though the government can go after your mail now, lawfully or UNlawfully, if they don't, it's gone -- it has no persistence in any system not under the control of sender or receiver, and as a practical matter ALL paper mail cannot be copied and archived by any third party. However, e-mail is rapidly replacing paper mail and some supposed advocates of crypto are helping the government ensure that MAIL of the future will have the potential to be a persistent "e-trail," something that paper mail could never be.
In mid-January, Microsoft announced its long-awaited Cryptographic Application Programming Interface (CAPI). This development promises to finally provide a well-defined separation between applications calling on cryptography and the actual performance of the cryptography. Now users will be able to request cryptographic functions in hundreds of applications and select precisely which cryptography to use at the time of program execution rather than program purchase.
Yeah, I guess all the programmers in the world who DON'T work for Microsloth are just too darned stupid to have conceived of any such separation. Thank goodness MS made this possible! Now we can dispense with all those foolish delusions we once harbored and admit that all the DOS offline mail readers in the world that supported a configurable editor only *appeared* to interface to third-party crypto modules via editor interface layers... Now we can admit that we were mistaken in believing that Pegasus Mail was trivially equipped with a generic crypto interface and that an interface layer to PGP was released by another party within weeks...
Cryptographic Service Providers (CSPs) can now evolve independent of applications, and users can choose whatever cryptography is available wherever they are in the world. TIS is working closely with CSP vendors to ensure that CSPs with good cryptography are available in domestic and exportable versions as soon as possible based on the U.S. government's key escrow initiative.
What self-serving bullshit.
We would now have widespread use of encryption, both domestically and worldwide; we would be in a state of "Utopia," with widespread availability of cryptography with unlimited key lengths. But, once in this state, we will face situations where we need a file that had been encrypted by an associate who is unavailable (illness, traffic jam, or change of jobs).
Yeah, this is a really good reason to flush privacy in communications down the toilet of subservience to limitless government. Really.
+ Then in 1995, the U.S. government announced its key escrow initiative: allow the export of up to 64-bit cryptography (a remarkable concession) when accompanied by an acceptable form of user-controlled key escrow (critical component to this policy being that "an acceptable escrow system" must have sufficient integrity to give the government confidence that, with a warrant, the keys will be available.)...
Of course. A remarkable arrogation of power rather than a concession: Laying the foundation for ALL communications to be available with a warrant, something the government has NEVER in its history enjoyed.
Some in the computer industry labeled this just another form of Clipper and vowed to continue the fight against U.S. government regulation of encryption in any form -- presumably forever.
They were right and you are wrong in asserting that it would be "forever." These things solve themselves in time as long as there is a plurality of political systems and national interests on the planet. No government on earth can long stand against irresistible forces.
On the other hand, once the new escrowed encryption policy was announced, U.S. government agencies -- the FBI, NSA, White House, DoD, DoJ, NIST, and NSC -- closed ranks behind it and have shown little interest in discussing any other approaches.
Sure. So throw in the towel, eh? If you can't fight 'em, JOIN 'em. Right? <puke>
In addition, neither political party has shown any interest in taking up the argument in the Congress, probably because it is a complex issue and there is no obvious "winning" position.
That may be a compelling argument in favor of finding ways to send wakeup calls to the political machinery -- the kinds of calls that cause severe loss of sleep and the eruption of multitudinous beads of sweat -- but it is HARDLY an argument in favor of signing on, as it were, to GAK.
But, depending upon how the definition of user-controlled key escrow is resolved, the new escrow policy could just be the long-sought compromise between government and industry that gets us through this morass.
What you mean, "Us," kimosabe? This whole piece you've written is a superficial rationalization for shitcanning principle when it is placed in opposition to corporate survival by presumed higher authority. If this is the "long-sought compromise" that "gets us through this morass," it is a textbook example of the "turd in the punchbowl" dilemma. How small a turd will you compromise on before you will consider the punch fit to drink? Rather a large one, evidently. Then again, this could be because you see yourself more as a purveyor of punch than an imbiber. History repeats itself. Endlessly.
+ If we can ensure that organizations can control the security of backup access to their encrypted information through well-designed commercial key recovery systems -- yet also ensure that governments have access when justified via normal legal procedures -- we may have truly found the "Ultimate Utopia" solution to a dilemma that has existed all of our professional lives and threatens to continue through the next generation...
What on earth gives you the idea that anyone outside government wants to "ensure that governments have access when justified?" Most individuals would prefer to have and use the means to ensure that *no one* has access to their private communications, "justified" or not. More death, torture, mulilation, incarceration and confiscation have been perpetrated by governments "justified" by laws valid in their time and place than all the harm ever done by all the private individuals in history. What is today's "justification" could well become tomorrow's crime against humanity.
Thus, in my thought experiment I have come to the conclusion that we (industry and government) are all heading towards the same objective...
If you're right, then maybe the whole thing needs to be dismantled and built again from the ground up. Really.
...but on a different path from what some of us originally wanted.
Yes -- the path of totalitarianism, apparently.
Yet, to my way of thinking, that path has to accomodate us all if we are ever to arrive at any mutually agreeable destination.
False. Suppose you and your spouse wish to remain inviolate but the guy in the ski mask wants to sodomize you both? To your way of thinking, "that path has to accomodate us all if we are ever to arrive at any mutually agreeable destination." Good fucking luck.
When one group of participants raises insurmountable barriers for another group, it simply blocks everyone from progressing down any path, and the net result is that U.S. industry is not able to export any good crypto-based security.
Although it's possible this may never have occurred to you, maybe those who want to see strong crypto freely available would prefer that as long as the U.S. insists on maintaining self-destructive crypto policies they impact U.S. industry and provide incentive for foreign crypto development rather than see U.S. industry crawl supine and subservient to lick the shoes of bureaucrats who are, after all, our employees and (supposedly) our SERVANTS. What you are doing is going into agreement with the government and helping to take the pressure off the government, when what is really called for is a firm stand that keeps the responsibility for the consequences squarely where it belongs: on government hands. Caving while pretending to adhere to principle fosters that to which one caves. Standing firm is much more likely to force a change. You've CHOSEN to be in a business whose market reach is at the pleasure of the government. Not satisfied with the reach allowed you, you jump through quite a few logical hoops to rationalize why it's ok to tailor principle to the necessities attendant to navigating the obstacles to which you voluntarily made yourself subject in the first place. Perhaps you can see why I wouldn't trust you with the keys to my car, much less my communications?
We at TIS are dedicated to finding a solution acceptable to all sides. We ask your help in this struggle. If you want exportable cryptography routinely available in your lifetime and believe that user-controlled key recovery is an important, if not vital, capability...
The two have no natural connection. The unnatural connection is created by government policy. As with the unnatural connection established by a kidnapper between failure to meet the demands and damage to the victim, you grant it legitimacy to the extent that you cave to it. As far as exportable crypto in [our] lifetime... that will take care of itself without your help. What you are doing will DELAY it by appearing to address important issues while in reality severely damaging the principle of maintaining freedom of encryption by helping to establish a system in which that freedom will not exist.
If you want to integrate exportable CKE into your product line, we are ready to help.
Thanks, but no thanks.
If you want to buy internationally deployable good cryptography with your favorite applications, tell your application vendor you want escrow-enabled applications.
No way, Jose! Most people who want it have access to PGP now, and already are using it with their favorite applications. The future can offer only more and better, regardless of present government policies. Pegasus Mail showed that integration is not a big deal if the software originates outside the U.S., so the direction is established and obvious: As the many millions of programmers around the world develop more and more advanced applications, those apps increasingly will tend to have crypto interfaces. Those interested in crypto will buy foreign products. In the ABSENCE of efforts such as yours, the pressure on the U.S. government would rapidly become irresistible.
We all have an opportunity to make a major difference here.
Yes indeed, and I have not the slightest desire to help you help the government institutionalize a bad policy.
Sincerely, Stephen T. Walker
Stephen, you've gotten carried away with yourself. "Ultimate Utopia" indeed! I'm reminded of the validity of the communist quip that capitalists will sell them the rope with which to hang the capitalists. Seems there is some truth to that. We Jurgar Din (that will have to suffice: I do not yet live in a free country) +"The battle, Sir, is not to the strong alone. It is to the+ +vigilant, the active, the brave. Besides, Sir, we have no + +election. If we were base enough to desire it, it is now + +too late to retire from the contest." -Patrick Henry 1775 + -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMTIbaEjw99YhtpnhAQFJ3gH/U532RzeENe1SbI2B4LCxXZCJYwksYipC fSFsAX4hCudT9BBYc/wuGGle/TvejQuIChR8qoxw7sjIip4IWHakdw== =x1iC -----END PGP SIGNATURE-----