-----BEGIN PGP SIGNED MESSAGE----- Date: Fri, 8 Sep 1995 09:32:43 -0400 (EDT) From: "Pat Farrell" <pfarrell@127.0.0.1> To: cypherpunks@toad.com Cc: BCc: Subject: Day 2 NIST meeting notes X-NUPop-Charset: IBM 8-Bit Thursday's GAK Export meeting started with reports from the prior afternoon's breakout meetings. I reported on the session I was in, saying what I posted to the list yesterday (about National Semi's product, etc.) The other breakout groups reported their problems with the criteria, again asking that #9 be dropped, longer, keys, etc. The presentation for Group "A" was different. It was a speach. It asked that the process be stopped to let industry develop market-driven solutions. It was greeted by applause from the vendors and privacy advocates, with no reaction from the government representatives. Randy Williams of Commerce, and Dan Cook of State, described the current export approval process. Lots of talk of jurisdictions and types of liscenses. I quickly got lost in the jargon. The moderator wisecracked that the official language of the session was English. You couldn't tell from some of the exchanges. They were questioned on import restrictions. Both Williams and Cook said that there are no import restrictions into the US. They also pointed out that Treasury, not State or Commerce, has jurisdiction over imports. An engineer from Compaq asked a question: He said that his company buys liscenses to software, and bundles it as "value added" to their systems. They are interested in bundling in security features. He asked if his computers would then be subject to export restrictions. The answer was yes. He asked if he could purchase security software overseas and import it. The answer was again yes. He asked if he could install that software on his computers, again yes. And export the computers, NO. They didn't even seem to think that this was illogical. So Commerce, State, and the rest of the government are activly encouraging the development of competing software industries in Israel, Germany and other counrties. I hate to think what they'd do if they tried to hurt US industry. And interesting tidbit came up after the session. In an offline conversation, the topic of "personal use export" came up. A reliable source said that revised regulations are being developed, and will, be avaialble soon. I explicitly asked if this meant "PGP on a notebook computer" and was told, Yes, that will be allowed; with the usual rules that it can't be for export, you can't be attempting to sell it, etc. Personal use, carry out and carry back. The "source" was asked if they had read Matt Blaze's personal use disaster story. The name didn't ring a bell, but the story was well know and considered a nightmare. Penny Brummitt of NSA was to talk about Clipper's key escrow agents, but called in sick. I didn't catch the name of the replacement. He talked about Clipper's process, not as an example of what will be required for GAK agents, but as an "existance proof" that some agents can be found. The essence was that Clipper escrow facilities are strong, and staffed with people cleared to the "Secret" level. They also tosed out the phrase "US Person" in regard to the corporate entity that is responsible for the contract. Geoff Greiveldinger, of the US Department of Justice, gave a frequently inaudible recounting of the evils of strong encryption in the war on D, P, & T, and also corrupt mayors. He was very personable. He also sounded like a fascist. Throughout the meeting, all sides tried to have a civil discussion, even though we disagreed. It was impossible to stay civil through his drivel. Ruby Ridge and Furman had been unmentionable up until his speach. Mr. Greiveldinger said that acceptable escrow agents will be in the US. This caused considerable concern among vendors trying to sell in the International market. Dan Weitzer of CDT (the EFF spinoff) gave a short, rousing speach. It was a call to arms. He said that since NIS&T was ignoring the consistant input from industry to stop this silly and stupid GAK, that we need to immediately contact our congresscritters. Ken Mendelsen [sic?] of TIS gave a great speach. He suggested that the critera for escrow agents be the same as the form to export tanks and other munitions. Then he showed the one page form used by State. He argued that legislative solutions to the escrow agent approval process will take too long and kill the effort. I'll try to get copies of his presentation. F.W. Gerbracht, Jr a VP Merril Lynch, represented the Securities Industry Association. He said that they are willing to work with the government, but they need long keys, strong ciphers, and international escrow agents. He used the phrase "unlimited algorithms and keyspace" as a requirement. They also need buy in from their regulators, and presented a long list of SEC, CFT, NYSE, NASDealers, and 50 state regulators, all who have to sign off. Nanette DiTosto of Bankers Trust gave a short, to the point presentation. She said that BT has a commercial key escrow service, but that was not what she wanted to get accross. She said that multinational banks demand strong encryption and non-US escrow agents. And that they would settle for nothing less. A speaker from VTW gave a nice presentation. VTW is something like voter's telecommunications watch. They have a mailing list, at listproc@vtw.org. He said that escrow was doomed to failure. That there is no middle ground. I'll try to get his slides too. Jack Wack of TECSEC gave a pitch for his shrinkwrapped product. He said it is exportable now, they've jumped through all the hoops. He also gave a great crack from his son. It want roughly like: "Dad, if you own the data before you encrypt it, how come the government says you don't own it after you encrypt it?" It brought down the house. (if someone has a more accurate quote, please let me have a copy). Professor Hoffman of George Washington gave a great speach. He listed the Al Gore to Maria Cantwell letter's criteria, as a matrix. He then filled in the matrix with the Export GAK's criteria. It was painfully obvious that the NIST/NSA propsal didn't come close. He recommended that they focus closly on the Gore criteria, and come up with an approach that meets all the the criteria. While I planned on staying for the remainder of the meeting, a crisis came up at my day job. I can't say I was looking forward to more, a day and a half was enough for me, and I wasn't the only person leaving early. Attendance was down visibly Thursday relative to the first day Pat -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMFBGEbCsmOInW9opAQEfQgP+P/P0MRGe3EOElzM0UPQy+xce0XGe3wex gfQdTrGWhL+FbYt/7taj6jgtcRg9zih1yQ3W+kN/VUXY9J4I1b6dw+j0sb6MkCjT pShnflDI5OPQmmUq9KZlmy50u2yXuBqfWSdXd9NypjDsh7XDrWIqvqIcuT1cc/di quNZ3u7aymw= =oJC7 -----END PGP SIGNATURE----- p.s. please let me know if this one's pgp sig is better than yesterday's Pat Farrell grad student http://www.isse.gmu.edu/students/pfarrell Infor. Systems and Software Engineering, George Mason University, Fairfax, VA PGP key available via finger or request #include standard.disclaimer