At 12:58 AM 11/8/1996, stewarts@ix.netcom.com wrote:

Strong vs. weak crypto isn't the real issue - for most business use, weak crypto is obviously unacceptable, but strong crypto with GAK is ok as long as it doesn't interfere with use (and as long as the government bureaucrats don't sell too many keys.)

We often say that the government is a security weak point and that this makes GAK impractical. However, this is not true. If the holders of the government keys were individually responsible for their release, they would not be released very often. That is, in order to use cryptography you must purchase an expensive encryption license. That pays the salary of a certified "key escrow agent" who is the only person who can decrypt your messages. What stops him from revealing your keys to unauthorized parties? It's his business. If that's not enough, you back it up with criminal penalties for disclosure. And, hiring this person is no different from hiring an employee for your company. There are already similar activities. Lawyers are nominally employees of the state. Employees of Swiss banks can go to jail for violating their secrecy laws.

The government might be able to stop new Netscape versions from using strong crypto - threatening to confiscate the company's ill-gotten gains from aiding and abetting money launderers might help, and threatening to confiscate PCs that use unapproved crypto. But it's tough to use a widespread threat like that on popular software once it's out there.

I agree, if the software is popular. But, if the fears of the GAKers and the dreams of certain cypherpunks are real, such software will not be popular. Peter Hendrickson ph@netcom.com