What *is* the power of the FIPS

[wcs at anchor.ho.att.com]

> -	QUESTION: Just what is the power of the FIPS outside of the 
> interop issues in sending stuff back and forth from federal agencies?

The basic purpose of a FIPS is to instruct governemnt agencies
on what kinds of equipment/software they should buy.
Some FIPSs are mandatory, but most are pretty optional.
However, in this case, the purpose is basically propaganda -
the NIST can set standards, and can announce "Hey, this is standard",
and even try to get other government agencies to buy lots and
lots of Clipperphones.

The so-called FIPS for Clipper was a horrendous abuse of the FIPS process;
I took advantage of my 10 years as a defense contractor to flame out the
proposed spec in great detail.  I don't think I've still got my critique,
but essentially I contended than the proposed "Escrowed Encryption Standard"
didn't describe escrow, didn't specify encryption, and wasn't a standard....
It was fun, if you can do that sort of thing and not inhale :-)

It wasn't escrow, because the functions it describes aren't escrow,
and it doesn't mandate that they be used in a way that performs
escrow functions using the functions it does perform.
It didn't specify an encryption algorithm.
It wasn't an implementable standard, since it didn't contain enough
information for a user agency to specify an equipment design ("ask the NSA" 
just _doesn't_ rate), or for a vendor to validate whether an equipment design
is compliant, or for a user to tell if it's working properly.
>From the commentary around the final FIPS, which differed in some detail
from the draft FIPS, it looks like most of the public comments were about
the political issues, but a couple of changes appeared to be responses to
technical details from the public, including things I'd flamed them about.
I don't know how positive I feel about that .....

		Bill