Reposted for background on the Netscape $5m IOUNSA for its insecure future: Note that Messrs. Clark and Andreeson can't sell their stock until two years post IPO. ------------------ Nov. 6, 1995 Contact: Anne Enright Shepherd (301) 975-4858 anne.shepherd@nist.gov MEDIA ADVISORY U.S. GOVERNMENT SEEKS PUBLIC COMMENT ON DRAFT EXPORT CRITERIA FOR KEY ESCROW ENCRYPTION Revised proposed export criteria for software encryption products using a key escrow mechanism are now available for public review. Public comment will be solicited at a Dec. 5 meeting to be held at the Commerce Department's National Institute of Standards and Technology. Key escrow encryption is part of the Clinton Administration's initiative to promote the use of strong techniques to protect the privacy of data and voice transmissions by companies, government agencies and others without compromising the government's ability to carry out lawful electronic surveillance and to execute search warrants for electronically stored communications. The exportability criteria being proposed are for an expedited licensing review process for software key escrow encryption products with keys up to 64 bits long. The U.S. Interagency Working Group on Encryption and Telecommunications, a body that develops recommendations on Administration encryption policies, solicits additional public comment on the revised criteria. Since the Clinton Administration's Aug. 17, 1995, announcement of proposed liberalization of export control procedures for key escrow software products with key lengths up to 64 bits, the working group has met with representatives of computer hardware and software manufacturers, industry trade associations and others interested in providing strong security for electronic data and transmissions. Based on comments received to date from industry, the criteria have been revised to better reflect commercial interests while balancing the needs of law enforcement and national security. These criteria do not replace or supersede any other licensing processes or criteria. Export applications for other types of products will use the existing licensing process. The Dec. 5 meeting, to be held from 9 a.m. to 5 p.m. at NIST in Gaithersburg, Md., is free and open to the public. Representatives from the interagency encryption working group will discuss the draft criteria and answer related questions. Those interested in attending the workshop can register before Nov. 30 by sending their name, organization, postal address, phone, fax number and e-mail address to Elaine Frye of NIST by fax: (301) 948-1784 or e-mail: elaine.frye@nist.gov. For additional information, call (301) 975-2819. Once public comments are received and the export criteria are given any necessary clarifications, the Department of State is expected to issue guidance incorporating the criteria in early 1996. Products will be reviewed by the State Department to verify that they satisfy the final criteria. Products meeting the criteria will be transferred to the Commodity Control List administered by the Commerce Department's Bureau of Export Administration, where they can be exported under a general license. The revised proposed export criteria are available on the World Wide Web at http://csrc.ncsl.nist.gov/keyescrow/. Reporters may also request a copy from Anne Enright Shepherd at NIST, (301) 975-2762, fax: (301) 926-1630, or e-mail: anne.shepherd@nist.gov. ------------------- Meeting Announcement Draft 64-bit Software Key Escrow Encryption Export Criteria On December 5, 1995, the Commerce Department's National Institute of Standards and Technology (NIST) will sponsor a meeting to discuss proposed exportability criteria (11/95 version) for 64-bit software key escrow encryption. This meeting continues the industry- government dialog of an earlier NIST-sponsored meeting held in September. At that meeting, officials of the U.S. Interagency Working Group on Encryption and Telecommunications (IWG/ET) met with industry representatives and other interested parties to discuss an initial draft of these criteria. In response to comments received, the criteria have been revised with the intent of achieving commercial acceptance within the flexibility permitted by law enforcement and national security constraints. Changes to the proposed criteria have been made, and a new draft is now available for public review and comment. At the upcoming meeting, representatives from the IWG/ET will discuss the draft criteria and answer related questions. Time will follow for industry representatives and other interested parties to comment on the criteria. Also, breakout sessions will be held to discuss each criterion in greater detail. At a minimum, Government representatives are scheduled to attend from the Office of Science and Technology Policy, National Security Council, the U.S. Department of State, the U.S. Department of Justice, the U.S. Department of Commerce, the National Security Agency, and the Federal Bureau of Investigation. The meeting will be held on Tuesday, December 5, 1995 from 9:00 a.m. to 5:00 p.m. at NIST in Gaithersburg, Maryland in the Red Auditorium of the Administration Building. Please register via e-mail (to "elaine.frye@nist.gov") or via fax (301-948-1784) before November 30, 1995. To register, please provide: 1) your name, 2) organization, 3) postal address, 4) phone, 5) fax number and 6) e-mail address. Alternatively, walk-up registration will be available on-site the day of the meeting. Directions from Washington, DC: from the Beltway (I-495) take I-270 North to Exit 10 (Clopper Road). At the first traffic light (Bureau Drive), turn left into the main entrance to NIST. Follow signs to the Administration Building parking lot. The receptionist at the entrance to the Administration Building can provide directions to the Red Auditorium. If you would like to make a presentation with your comments on the proposed criteria, you are asked to contact Elaine Frye at NIST via e-mail at "elaine.frye@nist.gov" or via telephone on 301- 975-2819 by November 30, 1995. The number of presentations as well as their length may be limited. Presenters (and others wishing to distribute material) are asked to bring 250 (attendance estimate) copies of their presentations to the meeting. ----------------- Draft Software Key Escrow Encryption Export Criteria (11/95 version) Export control jurisdiction for a software key escrow encryption product that meets the following criteria, as determined by the U.S. Department of State after a one-time review, will be transferred to the U.S. Department of Commerce for export licensing. These criteria do not alter existing licensing practices applicable to other encryption products or modes. Vendors must still submit other encryption to the U.S. Department of State for review and export licensing, or jurisdiction transfer as appropriate. Vendors contemplating the development of encryption products are encouraged to discuss their export objectives with the U.S. Government. Key Escrow Feature 1. The key(s) required to decrypt the product's key escrow cryptographic functions' ciphertext shall be accessible through a key escrow feature. 2. The product's key escrow cryptographic functions shall be inoperable until the key(s) is escrowed in accordance with #3. 3. The product's key escrow cryptographic functions' key(s) shall be escrowed with escrow agent(s) certified by the U.S. Government, or certified by foreign governments with which the U.S. Government has formal agreements consistent with U.S. law enforcement and national security requirements. 4. The product's key escrow cryptographic functions' ciphertext shall contain, in an accessible format and with a reasonable frequency, the identity of the key escrow agent(s) and information sufficient for the escrow agent(s) to identify the key(s) required to decrypt the ciphertext. 5. The product's key escrow feature shall allow access to the key(s) needed to decrypt the product's ciphertext regardless of whether the product generated or received the ciphertext. 6. The product's key escrow feature shall allow for the recovery of multiple decryption keys during the period of authorized access without requiring repeated presentations of the access authorization to the key escrow agent(s). Key Length Feature 7. The product's key escrow cryptographic functions shall use an unclassified encryption algorithm with a key length not to exceed sixty-four (64) bits. 8. The product's key escrow cryptographic functions shall not provide the feature of multiple encryption (e.g., triple- DES). Interoperability Feature 9. The product's key escrow cryptographic functions shall interoperate only with key escrow cryptographic functions in products that meet these criteria, and shall not interoperate with the cryptographic functions of a product whose key escrow encryption function has been altered, bypassed, disabled, or otherwise rendered inoperative. Design, Implementation, and Operational Assurance 10. The product shall be resistant to anything that could disable or circumvent the attributes described in #1 through #9. ------------------ Background Paper Changes to the Criteria Based on Earlier Public Input The government presented draft criteria (9/95 version) for the export of software-based key escrow encryption at an open meeting at NIST on September 6-7, 1995. Meeting participants suggested several changes to the criteria; the government re-drafted the criteria as described below. Industry's ideas and words were included when possible and given serious consideration consistent with the protection of fundamental interests (e.g., privacy and national security). General changes to the document: The document was re-structured to make it clearer. After the introductory text, related criteria are grouped into the following categories: a. key escrow feature b. key length feature c. interoperability feature d. assurances Changes to the introductory text: The wording has been clarified, and additional words have been included to encourage vendors that are considering building non-escrowed encryption products to discuss their export objectives with the government. Changes to the criteria: The criteria presented at the September 6-7 meeting have been modified in the following ways: Old Criterion 1. Moved to #7; wording clarified. Old Criterion 2. Moved to #8; wording clarified. Old Criterion 3. Split into #1 and #2 since the original criterion had two major points in it (the requirements for key escrow, and the requirement on when the keys are first escrowed); wording clarified. Old Criterion 4. Wording clarified; the notion of accessibility to authorized entities was modified to explicitly state that the required information must be available with a reasonable frequency. Old Criterion 5. Moved to #10; wording clarified, and the example was deleted so that implementors were not misled to believe that the example given was the only way of satisfying that requirement. Old Criterion 6. Moved to #9; wording clarified, and applicability of this requirement was scoped to address interoperability between a product's key escrow mode and a non-key escrow product. Old Criterion 7. Moved to #5; wording clarified. Old Criterion 8. Moved to #6; wording clarified because the term "repeated involvement" was perceived as being too broad. Old Criterion 9. Deleted. Old Criterion 10. Moved to #3; wording clarified, and requirement modified to not preclude the escrow of key by agents in addition to those required by these criteria. Note: The September (and November) version of the criteria is available electronically at: "http://csrc.ncsl.nist.gov/keyescrow/" ***************************************************** Elaine Frye Computer Systems Laboratory, NIST Bldg. 225/Rm.B154 Gaithersburg, MD 20899-0001 Voice: 301/975-2819 Fax: 301/948-1784 *****************************************************