From URL: http://csrc.ncsl.nist.gov/csspab/94-rpt.txt

Executive Summary This Annual Report documents activities of the National Computer System Security and Privacy Advisory Board during 1994, its sixth year. During the year, the Board continued to review cryptography related issues. During 1994, the Escrowed Encryption Standard (EES) and the Digital Signature Standard (DSS) were approved as Federal Information Processing Standards (FIPS 185) and (FIPS 186) respectively. The Board heard briefings on escrowing release procedures, escrow program procedures, U.S. export procedures, international cryptography proposals, international corporate key escrow, alternative key escrow approaches, and software-based key escrow encryption. The Board also continued to follow activities related to the Common Criteria (CC), which remains in draft form. [Comments on the CC will be reviewed and processed in March 1995.] The Board continued to examine the question as to whether there is a business case for setting up a Trusted Technology Assessment Program (TTAP). Membership Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of RAND, serves as Chairman of the Board. He was appointed in July 1989. As of December 1994, the membership of the Board is as follows: - Chairman Willis H. Ware, RAND - Federal Members Charlie C. Baggett, Jr. National Security Agency Henry H. Philcox, Department of the Treasury, Internal Revenue Service Cynthia C. Rand, Department of Transportation Stephen A. Trodden, Department of Veterans Affairs - Non-Federal, Non-Vendor Genevieve M. Burns, Monsanto Corporation (Member Designate) Cris R. Castro, KPMG Peat Marwick Sandra Lambert, Citibank Randolph Sanovic, Mobil Corporation (Member Designate) - Non-Federal, Vendor Gaetano Gangemi, Wang Laboratories, Inc. Linda Vetter, Oracle Corporation (Member Designate) Stephen T. Walker, Trusted Information Systems, Inc. Bill Whitehurst, International Business Machines Corp. In December of 1994, Ms. Cynthia Rand resigned from the Board, leaving a vacancy in the federal member category. II. Major Issues Discussed The work of the Board during 1994 was devoted to various topics related to security of federal unclassified automated information systems. Among the most important were: - Cryptographic Key Escrowing Procedures - Alternative Key Escrow - Security in the National Information Infrastructure (NII) Escrowing Release/Program Procedures The Department of Justice briefed the Board on procedures for release of cryptographic key components, by the two escrow agents, to government agencies. The two escrow agents at the National Institute of Standards and Technology (NIST), of the Department of Commerce and the Automated Systems Division of the Department of Treasury. The agents act under strict procedures to ensure the security of the key components and which govern their release for use in conjunction with lawful wiretaps. NIST discussed the procedures for the key escrow program. Five federal agencies share a role in the key escrow program: (1) the Department of Justice is a sponsor and a family key agent that holds one of the components of the family key, (2) the Federal Bureau of Investigation is the initial law enforcement user and a family key agent that holds the other component of the family key, (3) NIST has a dual role as the program manager and a key escrow agent, (4) the Department of Treasury is a key escrow agent; and (5) the National Security Agency is the system developer that provides technical assistance. Alternative Key Escrow Bankers Trust presented some rationales for key escrow encryption for corporations, which fulfills management supervision and compliance duties, and reduces business risks. They maintain that the Bankers Trust system can meet both U.S. and European needs. Their system has been discussed with Canada, Britain, France, Singapore, and the U.S.; however, none of these countries have endorsed the system. Trusted Information Systems, Inc. gave a demonstration and overview of their approach to software-based key escrow encryption. They said that software key escrow systems could be built that meet the objectives of law enforcement. Also, that variations of their software key escrow system can provide a commercial key escrow capability that will be very appealing to corporate and individual computer users. They believe that widespread use of corporate key escrow, in which corporations operate their own key escrow centers, and individual key escrow, in which bonded commercial key escrow centers provide a key retrieval capability for registered users, will better achieve the key escrow objectives of law enforcement than a government-operated key escrow system. [Snip 180kb of very informative docs on the main US cryptography issues of 1994, still alive in '95.]