RE: PROPOSAL: Minimum Authentication and transport level encryption for CAP

[Paul Leach <paulle@xxxxxxxxxxxxx>]

> -----Original Message-----
> From: John Stracke [mailto:francis@ecal.com]
> Sent: Wednesday, May 12, 1999 6:57 PM
> To: ietf-calendar@imc.org
> Cc: Chris.Newman@innosoft.com; Paul Leach
> Subject: Re: PROPOSAL: Minimum Authentication and transport level
> encryption for CAP
> 
> 
> andrec@cst.ca wrote:
> 
> > I'd like to propose that, within the SASL framework
> > the "Must" authenticate be DIGEST-MD5 [1]
> > and the the "Must" transport level encryption be
> > a US-Exportable DES.

As I wrote, this wouldn't get past the IESG.

> 
> Is it possible to have the MUST be something with parameterized
> strength? For example, "all implementations MUST support 
> X-bit DES, and
> MUST support negotiating what X is at runtime"? Then one could say, "I
> can go up to 1024-bit", and the other could say, "I can go up to
> 96-bit", so they'd use 96-bit.  (They'd probably also want to express
> minimal strengths ["I can't talk unless we use at least 256-bit"].)

The spec can handle this, but not exactly in the way you say.

> 
> My reasoning here is that we don't want to set a MUST based on the
> current political climate (especially since, at the moment, US export
> controls may be in abeyance).  Besides, so what if 1024-bit can't be
> exported? If I develop a 1024-bit program in the US, and 
> Andre develops
> one in Canada, they can talk to each other without the software ever
> being exported.
> 
> (On the other hand, if encryption is mandatory, compliant CAP software
> cannot be used in France at all.)

It's mandatory to implement, not mandatory to deploy, so if the local
government forbids you do deploy it, that's OK as far as the standard is
concerned.

Also, France did a complete flip-flop last I heard. They allow strong
encryption -- stronger than US companies can export to them.

Paul