David Sternlight writes:
At 1:32 PM -0700 7/18/96, Jeff Barber wrote:
Let's see what the study group recommends. There are a lot of things the government can do, and plenty of historical precedent.
There *are* a lot of things government can do. There aren't a lot of things it can do well. But you want to wait and see what a *government study group* decides to recommend? Gee, who can guess what they'll decide?
You should do your homework. It's going to have a lot of industry people on it and be chaired by an industry person.
This isn't the same panel I saw mentioned on this list. That one had, as I recall, two individuals being selected by each of several cabinet departments and executive agencies.
Now THAT is apples and oranges. The security of, say, IBM's, or the FAA's, or AT&T's domestic computer networks has little to do with crypto export policy.
Big companies like IBM, AT&T, etc. have *international* networks. Hence, the connection to the crypto export policy, which prevents comprehensive security programs from being deployed. As a "senior techinical executive" (oxymoron alert) to Fortune 50 companies, I assume you know that and are simply choosing to ignore it for the sake of your current argument.
Putting the government in charge of fixing security problems is likely to result in an infrastructure optimized for surveillance, as we've seen with other government-sponsored initiatives (Clipper, DigitalTelephony, etc.).
The subject matter of the Commission's inquiry has more to do with authentication than message encryption, and more to do with infrastructure and network security. And as it happens there is no problem getting export licenses for authentication-only software with as secure a key as you like and no escrow. RIPEM/SIG did it years ago. You aren't even on the same page as this issue.
There is more to security than authentication, as I'm sure you also know but are choosing to ignore. Authentication alone may suffice in some situations but clearly not all. And in fact, this merely supports my point: left to government's preference, we'll all be well-authenticated when the surveillance tapes are introduced into evidence. (:-)
Again, you are trying to fight a different battle in the wrong arena. This isn't about your ability to encrypt your traffic. It's about securing the domestic infrastructure against information warfare. I know this is beginning to sound tiresome, but you'd better do your homework.
Indeed. This isn't a different battle, though; it's all interwoven. I don't want the government responsible for "securing the domestic infrastructure..." for the same reason that I don't want them telling me where or to whom I can sell crypto. They haven't any right to, IMO, and besides, I don't trust them to look out for my interests. -- Jeff