On Wed, Oct 15, 1997 at 02:10:54PM -0400, Eli Brandt wrote:

Bruce Schneier wrote:

...

From: "Barbara Simons" <simons@VNET.IBM.COM>

Some of these are old arguments that we've been hearing for a while, but some are newer. In particular, points 4 and 6 are difficult to refute without getting into some technical details. Both points also undercut the argument that a key recovery infrastructure potentially weakens security. After all, the NSA thinks it's secure enough that it can be used by the government.

Non-technical point: the NSA (reportedly) has no intention of using GAK for classified information. They know that it weakens security.

You have this wrong. In fact, NSA *supplies* keys for classified encryption equipment. They never told me whether they "escrowed" copies of the keys they supply -- what do you think?

Do the privacy of the nation's data and the security of its information infrastructure deserve the same consideration as the Pentagon's "Confidential" memos? When you're planning to build in a single point of failure, this is a question you have to ask.

In fact, it's much more complex. People with real classified data don't trust encryption at all, and they only use it if they absolutely have to. They, unlike many cypherpunks, remember well that there are other ways to get information besides running big computers, and if you have protections against those in place already, crypto doesn't buy much. But classified data isn't really interesting. Though by any measure there are huge amounts of it, it is dwarfed by the amount of government data that is not classified. To protect that data government agencies will use comercial crypto, and "key recovery" *will* be required in any commercial product purchased by a government agency. As use of crypto becomes commonplace business practice, the government market will be huge, and consequently, commercial products with key recovery *will* be prevelant. Any company that doesn't supply it will be relegated to niche markets, and, if legal winds blow the wrong way, eliminated. Crow This message was automatically remailed. The sender is unknown, unlogged, and nonreplyable. Send complaints and blocking requests to <goddesshera@juno.com>.