[on the Burns bill] At 04:55 PM 4/3/96 -0500, Dave Banisar wrote:

The draft bill which currently exists only takes the export controls on crpyto. The provisions on key escrow, criminal penalities and other problems are not in there and Burns staff have no intention of letting them in. The actual bill will be introduced in about 2 weeks. -dave

That sounds okay as far as it goes, but I can see a potential problem. Your wording above is unclear, but if the Burns bill totally eliminates export controls that's great. However, we've frequently heard talk of "compromises" like the Leahy bill which seem to relate exportable encryption to that which is already available overseas. There have been suspicions around there that this is intended to keep the American producers out of the market as long as possible, which is still a problem. I don't think that's acceptable. It's also not logical. Even if we assume that the strongest encryption available overseas is 2048-bit RSA, that's far more secure than 1024-bit PGP, which itself (I've heard...) is probably 1-10 million times stronger than 512-bit PGP, and the last is probably just barely within the reach of even the NSA with a reasonable amount of resources directed at the task. Obviously, this means that the best encryption commonly available is so far beyond what the NSA can decrypt, there appears to be no point in denying somebody the right to export 3000-bit RSA, when 2048-bit versions are already in use. In addition, even if this condition is assumed, there is a question about whether or not export will or must be automatically approved for any program which uses encryption equally or less strong than, say, 2048 bit PGP, or whether they will refuse export of programs which use encryption to implement functions that are "politically incorrect" despite the fact they use only "exportable level" encryption. I could mention a specific example, but if you've followed my essays you already know what I'm talking about. The government could still deter new and innovative ideas utilizing encryption that themselves don't already exist overseas. I think there's a serious enough danger here that we should insist on (at least) wording that completely takes the decision-making authority out of the government's hands for encryption that uses the same or less key length than the maximum available overseas, regardless of its function. I don't want even this minimal restriction, but if that's what it takes to pass the Burns bill, it's progress anyway. I'm sure somebody can (or already has) extend foreign-source PGP to 4096-bit keys to push the limit well beyond any practical limit, if 2048 bits isn't there already. Jim Bell jimbell@pacifier.com