Ray Arachelian taped the Cryptography Forum at the Association of the Bar of the City of New York last evening and will share once its transcribed. In the meantime: TITLE OF PROGRAM: Guns, Ammunition and Cryptography: Is the Government's Policy on Digital Encryption Creating a Crisis? MODERATOR: Charles R. Nesson, Professor, Harvard Law School PANELISTS: Matt Blaze, Co-author of Risks of Key Recovery paper. (short-notice invitee) Lynn McNulty (ex-NIST now RSA) filling in for Jim Bidzos Scott Charney, Computer Crime Unit, Department of Justice Kenneth W. Dam, Professor, University of Chicago Law School Dorothy E. Denning David J. Farber, University of Pennsylvania Marc Rotenberg, EPIC ----- Nesson asked the audience (about a hundred), "How many use encryption?" Over half raised hands. "Wow!" he said, "If I asked that of a law class at Harvard, maybe two or three hands would have been raised." Nesson then posed to the principal question: "Is the government's policy on cryptography creating a crisis?" Dam, Denning and Charney said no. Other panelists said yes. The audience by show of hands was about evenly split. There was intense discussion among the panelists but no change in position. Some highlights: David Kahn, in the audience, reaffirmed his support for key escrow, stating that it would not change the current legal provisions for electronically snooping, and why ask for more privacy than is now authorized. Blaze summarized the KR risks paper and pointed out the enormous expense of designing, implementing, operating and securing a global key recovery system -- which, as he ironically smiled, could make cryptographers and crypto-corps rich. That such a system might make security weaker by offering fewer choice targets to attack -- the key repositories. Blaze reminded that encryption will become pervasive in all electronic systems, not just communications. That it must be robust and untamperable or more and more crucial systems will be vulnerable to attack. And, the more complicated the security provisions the more likely they will fail. Farber stated that time was being wasted on KR debate while the nation's infrastructure remained immensely vulnerable to electronic attack. He said that with six students he could shut the system down in "a few days, with, say, spoof E-mail to key administrators." That ITEF is working on a next-generation system to prevent that, but meanwhile there is great risk. McNulty reaffirmed industry's position that other countries will develop robust encryption if the US does not allow export. Charney responded by pointing out that the administration seeks global commitment to key escrow among governments, and asserts they will comply for the same reasons the USG wants it. He said, for example, that countries may allow development of strong crypto but, like the US, will not allow export. He cited Japan's refusal to allow NTT's 128-bit export, and said Russia will surely not allow the export of the Sun/Elvis product. Same for France, Germany, and so forth. There was audience derision when Charney noted that the US must do as the Russians and Chinese and French do to control crypto. Interestingly, Charney did not cite The Wassenaar Arrangement, although Dam pointed out how difficult it was to reach agreement on the COCOM predecessor and enforce compliance with it. Nesson summarized Charney's position by saying, "do you mean that key escrow would do no more than help you catch criminals too stupid to use unescrowed crypto?" Charney nodded, and said that "nearly all all criminals we catch by electronic surveillance talk openly about being surveilled but do nothing about to avoid it." Nesson reiterated: "Do you mean that you want a system to catch stupid criminals while the nation's infrastructure is left vulnerable?" Charney, "That's not the right way to put it." Denning gave examples of her recent survey of law enforcement for examples of crypto use to hinder investigations. Finally, Dam noted that encryption policy was a different task than implementing encryption systems. That the detailed understanding of those who follow the encryption debate is not shared by the public nor by most officials. That agreement upon policy will require greater education for those who could not care less about the complications and subtleties being debated. An auditor queried: There seems to be agreement that encryption will work best when it is totally transparent to users, and the sooner that is devised the better. Why not just get on with it,? Blaze shook his head at this cluelessness, howled at the ceiling, sprouted fur, bared teeth, leaped Dave Farber, went for Charney's jugular, clawed Denning. Kahn and the suited audience ran screaming into the safe streets of Manhattan, while shaggy coders roared, "Kill, kill, kill the infrastructure-fuckers."