I spoke with Dennis Branstad at length a couple of days ago about just what it means to get involved with NIST in the Software Key Escrow CRADA. It was a nice conversation and he told me that he personally didn't seem to think that a workable system would emerge, but that others felt differently. Plus the push for a software solution meant that the agency felt that it should at least explore the topic before dismissing it. The system seems to be quite commercial. A group of people and companies petition NIST to get involved with the project and then a group forms out of a subset of these applications. Usually this is the team that is most likely to get the job done. For that reason, people need to bring something to the project be it expertise, capital or whatever. At the end, the group owns the intellectual property rights to what is discovered. This may be something patentable and it could be worth some money. I don't know how likely this is, but it seems possible. In fact, it is probably the reason many of the participants are willing to enter into the project. The role of NIST is both gatekeeper and fascilitator. They get everyone together and occasionally push things along. In this case, they'll also offer some technical assistance which will include feedback from the NSA. Dennis Branstad said that this would most likely take the form of Siskel and Ebert-like ratings of the systems proposed. The NSA would suggest, "Yes" or "No" but they probably wouldn't go into details. This is because the procedure would be unclassified and the NSA usually won't relate technical details without classifying them. I've read the Federal Register announcement and it really isn't that interesting. There are only two columns of text and most of it is devoted to the formatting and standard operating procedures. This note contains much more information than the announcement itself. This leaves me with several questions: * Is this process intended to fail? Will NIST just keep saying that software isn't good enough and that way they'll be able to answer the criticism that hardware is too expensive? * How selective is the group formation process? Are people really out for money? * There are supposedly several other groups interested in participating. Who are they? Is it RSA and PKP? * Is a software process really that much more insecure than a hardware based approach? Sure, it is easier to tamper with software, but given that we can always tamper with the software shell around the Clipper hardware, it shouldn't be _that_ much different. -Peter