Re: EDIINT -- International Encryption Issues

[rsedc@xxxxxxxxxxxxxxxxxxxxxxx (David Chia)]

Rik,

> Our workgroup objective is "EDI over Internet Interoperability --NOW"

Noted.

>         With than in mind, I believe we must pick an initial SINGLE
> algorithm/standard for the INITIAL
>           implementation so that we can facilitate  "interoperability
> now". Besides than I agree with you...there will
>          be several encryption methods/standards in use in the future...
> such as MOSS, S/MIME or PGP/MIME.

Here is where my opinion differs. Selecting a SINGLE algorithm would give
it an unfair advantage over other algorithms. I also noted the complexity
involves if too many algorithms are used. INFOSEC Business Advisory
Group (IBAG) statement Principle 1 states:

    1.   Governments, businesses and individuals each have the right and 
         responsibility to determine the level of protection needed for their 
         specific information, and to choose adequately strong encryption 
         methods to achieve those levels of protection, including type of 
         algorithm used, key length, method of implementation, etc.

Dorothy Denning in http://www.nla.gov.au/gii/dd.html interpreted that as
'The standards would allow choices about algorithm, .... '.
There are other principles on the appropriate level of protection provided
and I've no opinion about these.
         
> Here is my understanding of the international issues around encryption.
>           ( I am not a legal professional so read the following with that
> in mind.  The following comments
>            are a result of my conversations with several individuals over
> the last few days.)
> 
>           - Some countries limit its use such as the USA, France and Russia
> ... to name a few.
> 
>          - There are two cases that must be discussed when we discuss
> encryption with respect to
>             the international arena.
> 
>                  1) MOSS, S/MIME, PGP/MIME implementations are readily
> available world wide
>                  with long key lengths.  The laws may preclude their use --
> but technically they are
>                   international in nature. If that is the case we should be
> able to interoperability test
>                   implementations of each standard and obtain
> interoperability relatively (let us  hope) easily within
>                   a single standard.

The last time when I searched for the info, I was not permitted to obtain
more details about MOSS or S/MIME. I would appreciate the info on where
to obtain more details from international sources. Again IBAG
principle 14:

    14.  These standards, and the mechanisms implementing them, must be 
         published and unclassified, so that their effectiveness can be open 
         to public scrutiny. Any patented mechanisms must be available under 
         fair and reasonable conditions on a non-discriminatory basis. 
         
EUROBIT-ITAC-ITI-JEIDA statement also has similar principles.
I would interprete the 'mechanisms' as the softwares, hardwares
or firmwares. Thus the standards should only contains mechanisms
or the core of them 'officially' published and unclassified. If only a
SINGLE algorithm is selected, then it would be preferable that the
implementations (and all the associated important routines) have been
developed INDEPENDENTLY elsewhere, is commercially legal to use, and
can be employed without undue obstacles.

> Summary:  > >              The issue is not exportability of
algorithms or their > implementations  -- it is how  companies
>              that development the algorithm and implementation tool
kits > make money from international >              use of them.

Both IBAG and EUROBIT-ITAC-ITI-JEIDA the same principle (17 and 18):

         Cryptographic products that conform to the agreed standards 
         should not be subject to import controls, restrictions on use 
         within the law, or restrictive licensing; furthermore, these 
         products should be exportable to all countries except those 
         which are subject to UN embargo.

Interesting statement side-stepping the issue by focusing on
import controls :) However this has implication if independently
implementations are not available elsewhere.

>               If the algorithm/tool kit is a standard which is not owned by
> a for-profit organization, then this is not
>               a problem --- they can just let it go freely to the world.

As I understand it the algorithm is concept and it can be published
publicly, however the tool kit is a implementation and it cannot be exported
from some country.

>              We know that DES, IDEAL and RSA algorithms are readily
> available internationally with long keys.

They are implemented independently elsewhere.

> So I believe that MOSS, S/MIME and PGP/MIME are all technically appropriate
> to our international  focused,
> EDI over Internet, endeavor.  Still we must pick one INITIALLY to
> facilitate interoperability NOW.

> Did I address your concerns David? If not let me know.
> 
> Which is the best internationally from your  point of view: S/MIME,
> PGP/MIME or MOSS?

I still got a lot of reading and thinking to do.



David Chia
+--
|Dr. David Chia,                 |mailto:dchia@rmit.edu.au                  |
|Graduate School of Engineering, |mailto:rsedc@urgento.gse.rmit.edu.au      |
|RMIT University,                |http://urgento.gse.rmit.edu.au/untpdc/    |
|Melbourne, Australia 3000.      |FAX: 61 3 9639-1105  VOICE: 61 3 9660-2595|