Adam Shostack <adam @
homeport .
org> writes:
> We were discussing http://www.steptoe.com/commerce.htm, proposed
> revisions to the ITARs, on Cypherpunks. I think this has direct
> relevance to many firewall people.
We, the users of software that includes encryption, need to
resist the government's transparent attempt to mandate GAK
(Government Access to Keys) for encryption products. What
the government is offering is *56*bit encryption only if it's got
approved key recovery and escrow. 56-bit encryption is simply
not good enough, and the fact that the government is willing to
consider "generously" permitting its use means we can put our
hearts to rest over the question of whether or not the codebreakers
can handle 56-bit cryptosystems. Note, too, that the government's
current murky specifications will serve to continue their preferred
approach to dealing with cryptography:
1) make it as difficult as possible to include it in products
2) make it as expensive as possible for users to deploy it
3) make compliance with government regulation as confusing
and hurdle-filled as possible
As long as countries like Finland are able to release software
with 128-bit and higher encryption, the government's scheme is
going to just waste taxpayer dollars and feed them into the pockets
of preferred vendors who are granted the lock on "commercial
key escrow" technologies: the patents are already lined up and
locked in and the pigs are ready to feed at the trough. Your tax
dollars at work. The whole thing stinks. At this point, the best
thing we can do is - not buy American. If countries like Finland
can do good business selling crypto products then maybe they
will resist the inevitable US-sponsored end-run around the EU, to
get the EU to adopt an American-style ITAR and GAK.
mjr.
-----
Marcus J. Ranum, Chief Scientist, V-ONE Corporation
Work: http://www.v-one.com
Personal: http://www.clark.net/pub/mjr
"I'll have time to be laid back when I'm laid out on a slab"
|
|
