How I Would Ban Strong Crypto in the U.S.

Bill Stewart stewarts at ix.netcom.com
Sun Feb 2 02:11:45 PST 1997


At 09:58 AM 7/15/96 -0400, about six months ago, when Clipper III was new,
Raph Levien wrote:
>1. The battle over whether applications can contain strong encryption 
>algorithms has basically been lost. For example, SSL-enabled 
>applications are widely available over the world, thanks in large part 
>to the work of Eric Young. The same will happen for any other encryption 
>protocol that catches on.

Unfortunately, the Government hasn't given up on this one;
Peter Gutman's recent articles on export policy in New Zealand and
Australia suggest that Our Public Servants are trying an end-run
by getting those countries to stop export and development by productive 
crypto authors, targeting the toolkits that are being widely used
inside and outside the US.

>2. The battle for key management has not yet been fought. 

Yeah.  I haven't heard much from Clipper III recently,
since they've been trumpeting Clipper IV "Key Recovery" recently,
but that doesn't mean it's not going on.  Unlike politican efforts
such as Key Recovery, infrastructure attacks such as PKI
may require long-term technical development - the Cooperative
Research and Development Alliances (CRADAs) are not just to
bribe otherwise-valuable companies to stay out of the way,
they're to do things that may be sprung on us later;
I'd predict this coming summer.  For instance, back in July,
John Young quoted a Business Wire article about
 =  Toronto -- Certicom Corp. a leading information security 
 =  company, today announced that it will participate in an 
 =  initiative by the U.S. Commerce Department's National 
 =  Institute of Standards and Technology (NIST) which will 
 =  lead to the development of the elements of a public key 
 =  infrastructure (PKI).  
Certicom are the folks who do Elliptic Curve Cryptosystems,
which haven't been used much due to patent questions and 
RSA's dominance, but which allow much shorter public keys
and may have some speed advantages, both of which are
quite important for smartcard use.

>3. Anybody can write an application that supports strong encryption 
>algorithms. Witness SSH, a very impressive and useful program, which was 
>basically done by one person, Tatu Ylonen. However, building a key 
>management infrastructure will take lots of money, hard work, and 
>cooperation.
....
>4. Thus, the best leverage for the TLAs to win is to guide the 
>development of a key management infrastructure with the following 
>property: if you don't register your key, you can't play. I believe that 
>this is the true meaning of the word "voluntary:" you're free to make 
>the choice not to participate.
..
>6. Export is a two player game. The other country has to allow import of 
>the stuff, too. If the Burns bill passes, the "administration" would 
>strong-arm other countries to prohibit import of strong crypto, still 
>leaving US developers with no market.

It failed, and they've now got an Ambassador strong-arming other countries
to prohibit export.

>7. Building this stuff is too much of a task for the TLAs. They tried it 
>with Clipper, and it failed. They hoped that building the Tessera card 
>would be enough - that once they threw it over the wall, it would be 
>eagerly snapped up by industry.

>8. Thus, they're going to cajole, bribe, and coerce software companies 
>to play along. This fact is quite nakedly exposed in the document (good 
>thing the injunction against the CDA is still in force :-).

Yeah.  Clipper IV is getting a lot of people jumping on the bandwagon
to get export permission for their 56-bit software.  Many of the people
who are most vocal about it are the usual suspects anyway, but it's
closer to commercial usability that industry's more cooperative this round,
especially with more Internet money fever.

>> Don't be fooled.
>Who? Us cypherpunks?
>Raph
:-)

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)








More information about the cypherpunks-legacy mailing list