Peter Wayner <pcw@access.digex.net> writes of the NIST announcements to develop software-based key escrow. I think it would be utmost folly for software developers to work with the NIST and NSA on this or invest any time or capital. The fundamental requirement for NSA approval is the implementation of Skipjack in *software* in such a way that the algorithm is *protected* like it is in the booby trapped Clipper chips-- that is, impossible to deduce. But this appears to be complete *fantasy*. Any such system must rely on some kind of a hardware approach. But then we're back to where we've started -- Clipper and Capstone. Only the NSA has enough inbred, insular self-delusion to propose that 'secure' software is even a *possibility*. These companies could better spend their time proving that Fermat's Last Theorem is FALSE. (Hey Cypherpunks! I KNOW! what we need is a Secure Clipper Encryption Server that handles encryption via Email! Let's get the NSA to run it! Then it would *really* be secure! <SMIRK>) Furthermore, anyone who submits to this development is giving the NSA valuable (free?) development time for the purpose of, fundamentally, a KEY ESCROW SYSTEM. Now, perhaps someone can explain to me why a software system for depriving us of our rights is superior to one in hardware? Doesn't anyone have the faint glimmer of the idea that NSA, the *premier* cryptographic agency in the *world*, with unsurpassed technological and engineering prowess in the area, would have already *figured out* how to do this if it was *at all* feasible? Personally, I think this stinks putridly of an NSA decoy to simply claim or suggest that they're responsive to alternative solutions. This is nothing but a *cruel mirage* in a *barren desert*.

At the end, the group owns the intellectual property rights to what is discovered. This may be something patentable and it could be worth some money. I don't know how likely this is, but it seems possible. In fact, it is probably the reason many of the participants are willing to enter into the project.

yes, that's *exactly* what we need -- another software patent. But this is just a meaningless dangling carrot. (They damn well *better* have rights to whatever they develop under private capital.)

The role of NIST is both gatekeeper and fascilitator. They get everyone together and occasionally push things along. In this case, they'll also offer some technical assistance which will include feedback from the NSA. Dennis Branstad said that this would most likely take the form of Siskel and Ebert-like ratings of the systems proposed. The NSA would suggest, "Yes" or "No" but they probably wouldn't go into details. This is because the procedure would be unclassified and the NSA usually won't relate technical details without classifying them.

Take a LOOK at what you've written, and ask if this project has ANY CHANCE of succeeding. The NIST is proposing that a lot of companies put in work into a key escrow system in software, that the NSA has ultimate overruling veto power with *no explanation* of negative answers. This all to come up with something that the NSA ultimately must *accept* under the whole point of the proposal. What's the POINT?! Yes, sign me up today to do DEVELOPMENT WORK for the NSA on a KEY ESCROW SYSTEM. Let's put in thousands of man-hours to come up with something as fundamentally feasible in principle as perpetual motion! All for the sheer joy of the thought the NSA *might* pat us on the back! how could this be anything but the most PRODUCTIVE and REWARDING experience?! A company would have to be INSANE to go with this as presented!

* Is this process intended to fail? Will NIST just keep saying that software isn't good enough and that way they'll be able to answer the criticism that hardware is too expensive?

you mean the NSA -- and does that answer your question?

* How selective is the group formation process? Are people really out for money?

I think NIST would be overjoyed to hear that anyone outside of NSA consultants is interested.

* There are supposedly several other groups interested in participating. Who are they? Is it RSA and PKP?

RSA, PKP, RSADSI, Bidzos -- that makes at least four, right? the KGB would also like a secure software system. Sternlight & Denning would surely sign up. Just another dangling carrot -- or rather, an apple with a razor blade inside.

* Is a software process really that much more insecure than a hardware based approach? Sure, it is easier to tamper with software, but given that we can always tamper with the software shell around the Clipper hardware, it shouldn't be _that_ much different.

is an ASCII text file really that much more pliable than a silicon computer chip?! I'm trying to be gentle, but you simply don't seem to get it! the NSA wants a software implementation of Clipper that is TAMPERPROOF and INVISIBLE. This is like asking for a way to send locked lead safes through phone lines! it's based on a fundamentally *bizarre* premise! We *cannot* tamper with Skipjack in its present forms of use -- Clipper and Capstone -- they would not exist unless the NSA had the tamperproof technology. And the first rule of software is that it is 'TAMPERLADEN'! ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi.