Re: Clarifying controversial criteria

Brad Knowles (brad@azathoth.ops.aol.com)
Wed, 13 Mar 1996 20:29:27 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Raph Levien: "RE: Clarifying controversial criteria"

On Mar 13,  2:46pm, Blake Ramsdell wrote:

> On Wednesday, March 13, 1996 12:48 PM, Raph
> Levien[SMTP:raph@cs.berkeley.edu] wrote:
> >>
> >>   I'm pretty sure that the S/MIME implementations of 40-bit RC2 are, in
> >>fact, restricted to 40 bits for export reasons. Thus, I stand by the
> >>blank for S/MIME Secure Interoperability.
> 
> A product that is sold in another country by an American company that
> implements the RC2 algorithm is, in fact, limited to using a 40-bit key
> (combined with a 512-bit RSA key).  This is not a point of debate, and if
> this is the reason why S/MIME fails the Secure Interoperable criteria on
> your chart, I think the criteria should be removed, since it is impossible
> for me (an American company) to implement *any* secure standard and have it
> be exportable.

    I have to side with Raph on this one.  It doesn't matter (to the
user) *why* something is "insecure", it just matters that the minimum
interoperable version is insecure.  The user doesn't care about
standards, they care about products.

    This is part of why I said "The *HELL* with ITAR" at the workshop.


    Note that PGP and the products based on it are both interoperable
and secure by Raph's definition.  And this is a very important
distinction.  If the S/MIME, MOSS, or MSP implementors want the same,
then I think they need to explore how they could have versions
available outside the U.S.  that are "secure" and interoperable with
the versions available inside the U.S.  Even if the U.S. and non-U.S.
versions are available from two unrelated companies (or any two other
sources), so long as they are both secure and interoperable, the
criteria would be met.


    As I understand it, ITAR has recently been re-worded so that
cryptography is no longer a "munition" but is instead considered
"indecent" by the terms of the CDA.  Since this part of the CDA has
been put on legal hold, I suggest that there is a legal loophole here
that folks might want to take advantage of sooner rather than later.


    Again, we may be talking "standards" in one document and
"implementation" in another, but I think Raph's distinction is a very
important one and needs to be retained as a comparison criteria, even
if it's in the "implementation" document rather than the "standards"
document.

-- 
Brad Knowles                           MIME/PGP: BKnowles@aol.net
    Mail Systems Administrator        <http://www.his.com/~brad/>
    for America Online, Inc.                   Ph: (703) 453-4148

	PGP keys available from pgp-public-keys@pgp.ai.mit.edu

Previous message: Raph Levien: "RE: Clarifying controversial criteria"