Info on Netscape's key escrow position
I had lunch with Jim Clark today, and explained the furor that was currently going on in cypherpunks and elsewhere. After lunch he sent me the e-mail that I've attached below to pass along. I think the gist of it is that if governments require key escrow, we will have to do it in order to sell our products with encryption into those countries. We've actively lobbied against the government's proposal through our participation and support of industry efforts by the ITAA, BSA, SPA and others. Next week we will be sending two representatives to the NIST key escrow conference in DC. In preparation for that meeting we have been formulating an official company position on key escrow and export restrictions. Phil, myself, and other folks with cypherpunk leanings are involved in writing the policy statement. We are planning on taking a firm position against the government's key escrow proposals. Some time next week we will be posting our statement publicly, and will welcome your comments on it then. After the NIST meeting we will also be talking to folks in congress and the white house about our position, looking for help in getting the current export limitations removed. We will also be looking for help in getting the government's position on export controlled FTP sites clarified so that we can make the US version of the Navigator with 128-bit crypto available for download by those people who are legally allowed to use it. We don't have any plans to stop doing separate US and export versions of our software. As long as our customers want strong crypto and the government lets us sell it, I think we will keep doing it. --Jeff Jim Clark wrote:
I made some pragmatic comments.
I said that if we are to use this encryption technology in business, we must have a better solution than to limit keylength or put keys in escrow. All governments of the world have a valid concern about terrorism and other activities of concern to the security of their nations. All of them will continue to restrict our ability to provide products to their markets unless we build in some mechanism that allows them to legally access information that is in the interest of their national security. (We obviously cannot be involved in determining what is legal by the laws of that country.) This is not just a US government problem. Until recently, France did not even allow us to sell products with 40-bit keys, much less 128-bit keys.
A lot of ordinary citizens are rightly concerned about their own privacy. I am one of them. I do not want the government to snoop on me, but in fact the government, through the FBI, can now tap my phone without my knowing it by simply getting sufficient evidence that I am conducting illegal activities, then presenting this evidence to a court to get permission. I have no say in the matter.
If we as a company were to take the position that in no case will we allow a government to get access to our encrypted messages, or refuse to allow key escrow with our products, the governments of the world will quickly put us out of business by outlawing the sale of our products in their countries. The fundamental issue is how do we accommodate the requirements of governments, while protecting our rights as citizens.
None of this represents the position of Netscape with respect to what we will do. But if we do not come up with a solution to this problem that is acceptable to each government, we will not be able to export our products, except with a short key length (e.g. 40 bit keys), and that will not be acceptable to corporate customers in other countries. They will create their own solution, and we will not be able to sell to a larger world market. In fact, we could even be ordered by our own government to establish a key escrow system for its use inside the US.
Ironically, anyone in the US may import unbreakable encryption technology from another country -- we just cannot sell it back to them. No one ever accused the government of being rational.
I chair an industry group called the "Global Internet Project", with members from almost twenty companies, including companies from Asia and Europe. This was the central issue we all agreed upon this morning, and we are putting together a policy statement whose purpose is to educate lawmakers on the importance of quick resolution of this matter.
Thanks for your concern. Let me know what you like and don't like.
Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Sorry, this has nothing to do with Netscape's position on GAK: Jim Clark writes (via Jeff Weinstein):
Until recently, France did not even allow us to sell products with 40-bit keys, much less 128-bit keys.
I'm curious about this. Were Chirac et compagnie simply dragging their feet on granting a license, have they made an actual policy change, or did they realize they could do what Damien did ? It would be interesting to see more information on this development. (There's a paranoid conspiracy theory I could add to the pile here, but I don't believe it and we seem to be knee-deep in them at the moment....) -Futplex <futplex@pseudonym.com> Let's wait and see
Yes Netscape got the authorisation to sell Netscape navigator in France (40 bits) but there is no policy changes or whatever, it is still a tedious product by product process to get auth for crypto and obviously, you'rent going to get an auth for PGP any real soon... :-( futplex@pseudonym.com writes:
Sorry, this has nothing to do with Netscape's position on GAK:
Jim Clark writes (via Jeff Weinstein):
Until recently, France did not even allow us to sell products with 40-bit keys, much less 128-bit keys.
I'm curious about this. Were Chirac et compagnie simply dragging their feet on granting a license, have they made an actual policy change, or did they realize they could do what Damien did ? It would be interesting to see more information on this development. (There's a paranoid conspiracy theory I could add to the pile here, but I don't believe it and we seem to be knee-deep in them at the moment....)
-Futplex <futplex@pseudonym.com> Let's wait and see
dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept cryptographic assassination PGP Peking explosion security SDI
I had lunch with Jim Clark today, and explained the furor that was currently going on in cypherpunks and elsewhere. After lunch he sent me the e-mail that I've attached below to pass along. I think the gist of it is that if governments require key escrow, we will have to do it in order to sell our products with encryption into those countries.
The point Netscape seems to miss is that by refusing to go with weak crypto and having the best product on the market, Netscape may be able to force these governments into a position of accepting it. Suppose Netscape took the position that it was 512 bit RSA, and that it was for sale to anyone who wanted to buy it? The result would either be a billion dollars of market impact and a collapse of the high-tech stock bubble we are now building, or the government backing down. If the US government backed down, and Netscape became the best product around and maintained that lead for a long time, other countries would either have to allow Netscape in, or suffer the consequences of falling behind in the IT curve. The right move for Netscape is to improve crypto-security, to refuse to give in to government, and to publicly vilify the people in government who stand in their way. When billions of dollars are at stake and the blame is placed squarely on the shoulders of a politician trying to claim economic improvements based on their policies, the politician is likely to yield. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Dr. Frederick B. Cohen wrote:
I had lunch with Jim Clark today, and explained the furor that was currently going on in cypherpunks and elsewhere. After lunch he sent me the e-mail that I've attached below to pass along. I think the gist of it is that if governments require key escrow, we will have to do it in order to sell our products with encryption into those countries.
The point Netscape seems to miss is that by refusing to go with weak crypto and having the best product on the market, Netscape may be able to force these governments into a position of accepting it.
Suppose Netscape took the position that it was 512 bit RSA, and that it was for sale to anyone who wanted to buy it? The result would either be a billion dollars of market impact and a collapse of the high-tech stock bubble we are now building, or the government backing down.
This is exactly what the government wants. Some of the largest software companies have been producing software that only supports short key lengths for both export and domestic use for years, and it has not caused the government to back down.
If the US government backed down, and Netscape became the best product around and maintained that lead for a long time, other countries would either have to allow Netscape in, or suffer the consequences of falling behind in the IT curve.
Many customers in other countries want our US version. They are pushing on their governments and the US government to get it. This is already happening. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Many customers in other countries want our US version. They are pushing on their governments and the US government to get it. This is already happening.
Couldn't you set up a company in the Netherlands or some such place that allowed you to export to the rest of the world? There could be a US version of Netscape, produced here in the States, and a strong international version produced by a different company, using non crypto technology licensed from Netscape and a crypto engine produced entirely offshore. You could make the offshore firm virtually worthless by forcing them to give all the money to Netscape proper in the form of licensing fees. It wouldn't matter who owned it, so you could give the franchise to a Dutch national without giving away the store. I seem to remember US companies getting around restrictions on doing business with South Africa using a similar strategy.
On Sat, 2 Dec 1995, Dr. Frederick B. Cohen wrote:
The point Netscape seems to miss is that by refusing to go with weak crypto and having the best product on the market, Netscape may be able to force these governments into a position of accepting it.
[...]
The right move for Netscape is to improve crypto-security, to refuse to give in to government, and to publicly vilify the people in government who stand in their way. When billions of dollars are at stake and the blame is placed squarely on the shoulders of a politician trying to claim economic improvements based on their policies, the politician is likely to yield.
"Gee, I dunno, that sounds like a lot of work, and well, I'm making good dough. Sure, it would be a boon for the company, and fit right in with the mainstream perception that government way too involved in Joe Random's life, and win or lose, either way it would be a major public relations coup, and would restore the confidence of many foreign customers concerned about U.S. economic intelligence goals, but well... it just sounds so... subversive. Honey, could you pass the jam?"
-> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
--- "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information
participants (6)
-
Alex Strasheim -
Black Unicorn -
fc@all.net -
futplex@pseudonym.com -
Jeff Weinstein -
Laurent Demailly