Here are some notes I took at the Cypherpunks September Bay Area Meeting on September 13 at "PGP World Headquarters" in San Mateo. Quotes are summaries and interpretations, but hopefullfy fair and accurate. My interpolations enclosed in square brackets. Cypherpunks meetings are not particularly formal, but more like a dialog between a number of people, punctuated with slightly more formal presentations. ---- Introductory discussion of the recent crypto-gutting legislative proposals. ---- Eric Hughes (EH): This is the fifth anniversary of Cypherpunks. At the first meeting, we demonstrated a number of the technologies that are now becoming widespread, including remailers, and breaking weak (i.e., exportable) cryphograph. Tim May (Tim): What we feared five years ago is worse than Clipper -- it's an absolute disaster. The government has declared war on privacy. The only survivor is likely to be Trusted Information Systems, which has very close connection to the NSA. EH: The government now desires access to all plaintext communication. Tim: The British, and OECD, trusted third party proposal is a nightmare: even if you have access to software such as PGP and Explorer that provides strong privacy, the British now regard the keys you need to use that technology as "crypto material" -- and it will be illegal to distribute unbreakable keys [presumably without license or escrow capabilities]. Vinnie Moscaritalo (Vinnie): Black market? EH: No: there will be an underground market [the distinction is important] what we need are legitimate distribution of keys and crypto. Social pressure will otherwise keep crypto unused. Tim: Quoting Whitfield Diffie: this is like the war on drugs. Ban grypto and companies will dpeutize themselves to assist the government just as they did by requiring urine tests. EH: [The computer industry is moving to] remote policy enforcement -- copyright enforcement [to prevent you from using software if you don't have a license to it, or to prevent you from viewing a copy of a movie]. The same mechanisms can be used to enforce crypto regulations. You can characterize GAK/ATP (Government access to keys, access to plaintext) as possession with the intent to communicate. Tim: The intelligence community wants to be your supplier of big-brother crypto. They are not fascists; they just don't have a clue. Intel's next [next plus one?] generation processors will devote 3-4% of their chip area to functions that facilitate encryption. All processors will be serial-numbered. [This makes it very simple to "seal" a program so it can only be used on a single, specific, processor. This capability has been used for a decade in the minicomputer world.] Tim/EH: The battle must be fought in [the context of] the First Amendment. Qooting Don Hayes: "Nothing good can come out of crypto." [I think Hayes was referring to crypto legislation.] ----- Jeremy of Blue Money Software briefly described their electronic cash programming interface. Someone (Jeremey?) described an "onion routing" electronic mail protocol that conceals all information. This lets two people communicate without any external party either reading the mail or determining the sender or receiver. This was developed by the U.S. Naval Research Laboratories. They need ths because they otherwise cannot conceal sensitive communications within public traffic. ----- Kelly Blough, PGP's Government Relations representative discussed the recent legislation initiatives. The Pro Code bill is dead. Stuck in a senate committee. The McCane Kerry bill passed commerce, but was not reported out: McCain doesn't like it. This is good news. The SAFE bill (in the House) passed the [which?] committee in a way that we like. The bill removes export control on public code. It allows Americans full access to strong crypo. It was referred to National Security, Commerce, and [International Relations?] committees. National Security gutted the bill. Intelligence added FBI-requested access to plaintext. This was done in an unusual closed-door markup. [These are usually only done for military and intelligence funding bills.] "The intelligence community wants to set policy." Dave Del Torto (DDT): A friend says that the military intelligence personnell are swarming on the Hill. Kelly: thinks that this is mostly driven by domestic law enforcement, not the military Commerce added a gutting amendment, but now waiting two weeks. Tim: Declan McCullogh said that Louis Freeh said that, if a Congressman votes against gutting crypto, the FBI will blame the next Oklahoma City bombing on that Congressman. Kelly: This is good in one way: the cards are now on the table. The regional telephone companies, auto manufacturers, are all on PGP's side: "How can we help?" Banks and other financial institutions are not on PGP's side: because of the export exception.. Maybe this will change when the impact of domestic restrictions sink in. John Gilmore (JohnG): sens a fax to his respresentative, Nancy Pelosi. Asked whether this law should be passed without review. Her chief of staff replied that Pelosi brought up issues, but didn't change the consensus. Also brought up the lack of law enforcement tracking and notification. Tom Lantos, who sits on both the National Security and International Relations committees (and who is the representative for PGP's district) -- for someone who is strong on on human rights, he is voting against strong crypto. Tim: Why does PGP participate in export committees. Kelly: Industry group to lobby: Microsoft, etc. Big companies: trying to demonstrate that it's not just software. DDT: Electronic Freedom Foundation? JohnG: We got out of lobbying. Focussing on the Bernstein appeal. John is talking to Pelosi individually. She will write a minority report of disagreement with the National Security committee decision. EH: PGP needs support from cypherpunks. Kelly: Lobbying media. Gutting crypto gives government access to reporters' notes, to communication with anonymous sources. [Also lawyer, client.] The SAFE bill will probably go to the floor as written. Amendments must be voted upon. Pro Code is dead. DDT: Political liability: Gore was thought to be a friend to Silicon Valley -- maybe not now. But, maybe he doesn't think that Silicon Valley helped Clinton in 1996. JohnG: The "one time review" proposal lets "NSA read your source code" Lets them find holes in your product. Pelosi's chief of staff said to John that it will be illegal to sell strong crypto immediately after the law passes. But distribution will be allowed until 2000. This was put in for PGP: human rights workers are using it -- this will let PGP spread around for three years. Tim [?]: WIPO (world intellectual property agreement) will ban all forms of code cracking. Pushed by content providers to secure their intellectual property. Kelly, with PGP former president Tom Steddings, wrote the recent California legislature resolution. JohnG: Trusted Information Systems has three patents on key recovery. EH: Why do the Fed's want access to plaintext? The motivation has not been made clear. Policy goals are stated in technological terms, not in policy terms. ------- Other notes (more technical) Don't use a hardware black-box to generate private keys: they can leak private key information in the public key. Use a mix of software and hardware: do final generation in auditable software. Ian Goldberg: Move crypto to Palm Pilot. Demonstarted secure e-mail and web browsing on a Palm Pilot connected (through a bizarre collection of cables) to a Metricom radio modem. Dave Lainer [??] discussed cell phone privacy. There are three kinds of information that needs to be secured: the voice message, the number that you are calling, and the cell-phone identification. None of this is secure on analog phones. The phone companies don't care about user privacy: only about call setup privacy. NSA lied to telecom committees about call security. Voice privacy is trivial. PGP is trying to get their PGP phone technology into digital cell phones. This can do end-to-end encryption between PDP-enhanced phones. There are several kinds of information that need to be secured: voice, billing information, dialed numbers, and the caller's physical location. The government likes secure billing information -- if they don't know who made the call, they can't use it as evidence against an accused. JohnG: the cell phone authentication algorithm was recently cracked. EH: New Japanese phenonemon: tiny PKS cell phones. Teen-agers (who are driving lifestyle changes) all use them. ---- DDT: Discussed Open PGP: a non-proprietary standard presented to IETF: This includes a public-key infrastructure, trust model, message format, MIME (content format), and meta-certificate technology. Proposed to the Vatican (Papal representatives must communicate with Rome). Big battle in Rome between Netscape and Microsoft to be the "official browser of the Vatican." Big is an underestimate: Microsoft is offerring "eternal" licenses. ---- My notes end here. Apologies for any errors in transcription or understanding. Martin Minow minow@apple.com