|
So, here's latest news, and this sounds already much better though
not ideal.
How soon we're going to implement these new rules with OSF/DCE
product?
-jari
------
The following provides an update on recent activity in the
encryption space.
1. NEW U.S. REGULATIONS ON ENCRYPTION
On December 30, the U.S. published new regulations dealing with
export controls on encryption. The new regulations made two
important changes:
o Shift of jurisdiction. Effective immediately, control of
civilian encryption will shift from the munitions controls
of the Department of State to the dual-use controls of the
Department of Commerce. Although the National Security
Agency will remain the major source of technical review
(with the Department of Justice also involved for the
first time), this should translate into swifter, more
user-friendly license processing.
o Temporary relaxation of controls on DES-strength products.
In return for a commitment to develop Key Recovery
products, U.S. companies will be able to ship DES-strength
products to most customers outside of the embargoed
countries for a period of two years.
The Computer Systems Policy Project, chaired by Bob Palmer, played
an important role in negotiating these liberalizations with the
U.S. Government.
2. DIGITAL'S KEY RECOVERY SUBMISSION
Digital was the first company to submit a Key Recovery Plan to the
U.S. Government. The plan laid out three milestones:
o Selection of the technical KR framework and
Digital products into which they will be incorporated
by July, 1997;
o Development of working, in-house prototypes by
February, 1998;
o Field test in a customer environment by July, 1998.
After test, and subject to U.S. export review and approval,
Digital KR products would be offered for sale in the next relevant
release. In Digital's submission, IPv6-qualifying
protocols/products and the Alta Vista Tunnels were flagged as
potential candidates for KR functionality, although no commitment
to these or any other product need be made until July.
Digital's KR plan was formally submitted on January 7 and as of now
has been reviewed and approved by the National Security Agency and
the Department of Commerce. The final agency needed for approval,
the Federal Bureau of Investigation, has also reviewed the plan and
indicates that it will request "minor" changes which have not yet
been specified. The FBI indicates that these changes will be
identified in the next few days.
When Digital's KR plan is approved, we will be able to ship
(subject to semi-annual reporting requirements) DES-strength
products immediately to most customers outside of embargoed
countries without an export license. This will eliminate the need
for ITAR licenses for banking customers, and will permit shipment
of products containing strong encryption to non-financial customers
outside the U.S. for the first time. Products potentially eligible
for shipment under these provisions are: Encryption for OpenVMS,
the Alta Vista Tunnels (provided versions are modified for DES or
56-bit RC4), the Roamabout wireless LAN adapters, and DCE privacy
options.
The ability to ship DES-strength products will be renewed every six
months until Jan 1, 1999, provided we meet our Key Recovery
milestones. However, our ability to support customers who bought
these products within the two-year period, including the ability to
provide upgrades not affecting key length and additional licenses,
will continue indefinitely. After Jan. 1, 1999, only strong
encryption products having key-recovery features will be eligible
for license exception, and U.S. licensing policy will revert to
what it is today - non-KR DES approvable to banks and U.S.
subsidiaries only.
Note that the U.S. Government is constructing an "incentive
package" including seed money for key recovery development. We
know that $21 million will be available; projects under discussion
involve the U.S. Customs Service and the Patent and Trademark
Office.
3. KEY RECOVERY TECHNOLOGIES
After a review of KR products and technologies, two options that
are either already available or under development are the CKE
approach developed by TIS and the PQR (SecureWay) framework under
development by IBM.
TIS has already licensed its approach to Tandem and Hewlett-Packard
(although it is important to note that the HP International
Cryptographic Framework can support alternate KR technologies).
TIS has exported six versions of it's firewall product containing
the KR DES-strength functionality (including to Royal Dutch Shell),
has obtained U.S. export license exceptions for 128-bit RC4 and
Triple DES KR products, and has obtained U.S. export approval for
five KR agents in Europe. TIS has exported systems both with third
party key recovery capability as well as for applications where the
customer acts as its own key recovery agent. As TIS is already
selling Key Recovery products, it has established a business plan,
and has suggested terms (subject to negotiation) for making its
technology available to Digital.
TIS has recently licensed its technology to IBM to clear up
potential patent problems with the PQR framework, and expects to
announce new company commitments to its approach at next week's RSA
conference.
While IBM has developed a promising alternative conceptual
framework to TIS in its "PQR" approach, it has made no new
information available to Digital on its efforts to develop this
approach since July. According to IBM, the framework has changed
substantially since it was presented to a Digital technical team at
that time; an implementation toolkit is scheduled to be completed
in April. A briefing on recent developments in the IBM framework
is scheduled to take place in Spitbrook on February 7.
No substantive information has been provided by IBM on how its
technical framework relates to a business issues (e.g., cash flow
to KR agents, management and charges for access to policy tables);
nor on what terms IBM would make this technology available to
Digital. These key issues continue to be under discussion within
IBM. Sources at NSA and the FBI have stated that a working
prototype has not been made available to the U.S. Government.
Digital businesses most likely to benefit from additional markets
resulting from global exportability of strong security products,
UNIX (for IPv6 security applications) and Alta Vista (for the
Internet Tunnels), are in the process of evaluating the potential
value of KR technologies, how they complement product plans, and
how the company might structure licensing the relevant technologies
from TIS, IBM or both.
Digital is actively participating in the Key Recovery Alliance,
initiated and currently managed by IBM. Roger French of Security
Programs Office chairs the important KR Deployment subcommittee;
we also participate in the Policy and Technology Committees. The
second meeting of the Alliance, to reach consensus on an agenda for
these subcommittees, will be held prior to the RSA conference in
San Francisco next week.
3. CRYPTOGRAPHIC POLICY OUTSIDE THE U.S.
On December 20, the OECD issued draft guidelines on cryptographic
policy. To the disappointment of industry participants, the draft
explicitly recognized the legitimacy of national government
involvement in establishing user trust and the need for government
access under due process.
The OECD Guidelines, while not binding on member states, is
evidence that commercial considerations will not dominate policy
discussions on the use and export of cryptography in major Digital
markets. A breakdown of current government policies outside the
U.S. is as follows.
o France - Already requires key escrow (not Key
Recovery). While TIS has gotten U.S. Government
approval for a Key Recovery Agent in France, it is
expected that if such an agent is approved in the
future by the French Government, it will have to be
controlled by French nationals, subject to security
clearance requirements, and have few constraints on
French Government access.
o U.K. - Policy similar to U.S. on KR. The U.K.
plans to require escrow or recovery for U.K. entities
offering privacy as a service to third parties. It is
also considering export incentives for KR similar to
those of the U.S.
o Germany - Doesn't like the idea of escrow agents
outside of Germany (particularly in France). This
concern is shared by a number of countries, indicating
the need for bilateral agreements on the certification
of agents. The U.S. has already approved 5 such agents
in Europe.
o Japan - Neutral, but willing to allow Japanese firms to
develop KR products (Hitachi and Fujitsu have already
announced their intent to do so).
o Holland, Sweden, Denmark - Against escrow and recovery
in principle, but not expected to take any steps to
prevent its use in there countries.
4. U.S. LEGISLATION AND POLITICAL ENVIRONMENT
Some U.S. organizations did not fully buy into the recent U.S.
regulations containing the requirement to commit to KR in return
for 2-year DES exportability. Chief among these was the Business
Software Alliance (major member: Microsoft), which opposes U.S.
policy openly and continues to seek legislative relief. This
position is reinforced by the civil liberties community, which
continues to oppose any controls on encryption.
As a result, Senator Burns and Representative Goodlatte have
decided to reintroduce their liberalization bills, which failed to
be reported out of committee in the last Congress. While there is
continuing congressional interest in encryption, it is unlikely
that any legislation proposing substantial decontrol (as these
bills do) will survive a floor vote. In the Senate, due to solid
opposition to encryption liberalization by key Senators (like
D'Amato of NY), it is not likely that the Burns Bill will make it
to the floor.
While continued Congressional attention to the encryption problem
is appropriate and useful, an approach with more potential for
success will be to consolidate and expand on the Administration
liberalization initiatives. Through CSPP and other trade
associations, we will be looking for appropriate bills to do that.
If you have any questions on these issues, please give me a call.
Regards,
Bob Rarog
|