[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: EDIINT -- International Encryption Issues
> Our workgroup objective is "EDI over Internet Interoperability --NOW"
> With than in mind, I believe we must pick an initial SINGLE
> algorithm/standard for the INITIAL
> implementation so that we can facilitate "interoperability
> now". Besides than I agree with you...there will
> be several encryption methods/standards in use in the future...
> such as MOSS, S/MIME or PGP/MIME.
Here is where my opinion differs. Selecting a SINGLE algorithm would give
it an unfair advantage over other algorithms. I also noted the complexity
involves if too many algorithms are used. INFOSEC Business Advisory
Group (IBAG) statement Principle 1 states:
1. Governments, businesses and individuals each have the right and
responsibility to determine the level of protection needed for their
specific information, and to choose adequately strong encryption
methods to achieve those levels of protection, including type of
algorithm used, key length, method of implementation, etc.
Dorothy Denning in http://www.nla.gov.au/gii/dd.html interpreted that as
'The standards would allow choices about algorithm, .... '.
There are other principles on the appropriate level of protection provided
and I've no opinion about these.
> Here is my understanding of the international issues around encryption.
> ( I am not a legal professional so read the following with that
> in mind. The following comments
> are a result of my conversations with several individuals over
> the last few days.)
> - Some countries limit its use such as the USA, France and Russia
> ... to name a few.
> - There are two cases that must be discussed when we discuss
> encryption with respect to
> the international arena.
> 1) MOSS, S/MIME, PGP/MIME implementations are readily
> available world wide
> with long key lengths. The laws may preclude their use --
> but technically they are
> international in nature. If that is the case we should be
> able to interoperability test
> implementations of each standard and obtain
> interoperability relatively (let us hope) easily within
> a single standard.
The last time when I searched for the info, I was not permitted to obtain
more details about MOSS or S/MIME. I would appreciate the info on where
to obtain more details from international sources. Again IBAG
14. These standards, and the mechanisms implementing them, must be
published and unclassified, so that their effectiveness can be open
to public scrutiny. Any patented mechanisms must be available under
fair and reasonable conditions on a non-discriminatory basis.
EUROBIT-ITAC-ITI-JEIDA statement also has similar principles.
I would interprete the 'mechanisms' as the softwares, hardwares
or firmwares. Thus the standards should only contains mechanisms
or the core of them 'officially' published and unclassified. If only a
SINGLE algorithm is selected, then it would be preferable that the
implementations (and all the associated important routines) have been
developed INDEPENDENTLY elsewhere, is commercially legal to use, and
can be employed without undue obstacles.
> Summary: > > The issue is not exportability of
algorithms or their > implementations -- it is how companies
> that development the algorithm and implementation tool
kits > make money from international > use of them.
Both IBAG and EUROBIT-ITAC-ITI-JEIDA the same principle (17 and 18):
Cryptographic products that conform to the agreed standards
should not be subject to import controls, restrictions on use
within the law, or restrictive licensing; furthermore, these
products should be exportable to all countries except those
which are subject to UN embargo.
Interesting statement side-stepping the issue by focusing on
import controls :) However this has implication if independently
implementations are not available elsewhere.
> If the algorithm/tool kit is a standard which is not owned by
> a for-profit organization, then this is not
> a problem --- they can just let it go freely to the world.
As I understand it the algorithm is concept and it can be published
publicly, however the tool kit is a implementation and it cannot be exported
from some country.
> We know that DES, IDEAL and RSA algorithms are readily
> available internationally with long keys.
They are implemented independently elsewhere.
> So I believe that MOSS, S/MIME and PGP/MIME are all technically appropriate
> to our international focused,
> EDI over Internet, endeavor. Still we must pick one INITIALLY to
> facilitate interoperability NOW.
> Did I address your concerns David? If not let me know.
> Which is the best internationally from your point of view: S/MIME,
> PGP/MIME or MOSS?
I still got a lot of reading and thinking to do.
|Dr. David Chia, |mailto:email@example.com |
|Graduate School of Engineering, |mailto:firstname.lastname@example.org |
|RMIT University, |http://urgento.gse.rmit.edu.au/untpdc/ |
|Melbourne, Australia 3000. |FAX: 61 3 9639-1105 VOICE: 61 3 9660-2595|