At 3:37 PM -0800 12/4/96, Ernest Hua wrote:

I think we can all agree that the level of confidence in software-only approaches to security is clearly lower than combination software plus hardware approaches.

It is clear that what is available over the Internet is software. (It is much harder to distribute "hardware" as you can only really distribute design information. The closest analogy could be a FPGA program, a Verilog description or some other ASIC net list.)

But of course this is a distinction without a difference, at least for all but 0.00073% of Internet users. That is, downloading a Verilog or whatever description would be no more "verifiable to the user" than a software-only program. In fact, the hardware description _is_ just another program!

How about the following as an approach to resolving the dispute over encryption exports:

1. Allow arbitrary exports of software-only encryption.

The government will of course not be fooled by this. Whether one accepts my point that hardware = software (effectively), the government has heretofore seen software as an important issue. In fact, I will take issue with my distinguished colleague (are you satisfied, Logos?) Ernest Hua's point that only hardware provides real security. To whit, for several years we on the Cypherpunks list have advocated this strategy: -- standardized hardware, such as PCs and Soundlaster cards -- community-checkable software, such as PGP This combination is preferable to "black boxes" which the average user cannot verify (not that the average user can verify, say, PGP, but digital signatures means the average user can more effectively "trust" the consensus of those who _have_ looked at, say, PGP 2.6ui, and have vouched for it. (This debate came up several times when people proposed specialized hardware, which would be a) hard to verify, b) hard to distribute widely, and c) something very few people would casually try. Regardless of our arguments--though perhaps confirming them--there have been no commonly used hardware widgets or cards used by any significant number of us.)

2. Take John Deutch at his word:

Deutch has claimed that "serious users of cryptography" would not trust software downloaded over the Internet. We clearly do not agree with him on this aspect, but if he truly believes it (and is not just making PR spin statements for the NSA), then he must believe that allowing software exports will not significantly increase the user base (and therefore, harm CIA's or NSA's intelligence capabilities), but it will shut up the software companies' complaints.

I don't think he believes this. Think: FUD. There is no evidence that properly authenticated PGP is "weak." And if it were, John Deutch would be a fool to cast doubt on it. I think they're terrified as hell about software-only approaches running on widely-available hardware and would like nothing more than to see hardware-only approaches mandated (as this would provide slightly more control over exports and distibution). Not that this'll happen, of course. --Tim May Just say "No" to "Big Brother Inside" We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."