Re: US Encryption Policy Change Now Official!

To: erbenson@alaska.net (Ethan Benson)
Cc: irving@speakeasy.org, mike@markley.org, bear@coyotesong.com, debian-devel@lists.debian.org
Subject: Re: US Encryption Policy Change Now Official!
From: Bear Giles <bear@coyotesong.com>
Date: Thu, 13 Jan 2000 22:53:40 -0700 (MST)
Message-id: <[🔎] 200001140553.WAA26039@eris.coyotesong.com>
In-reply-to: <v04220805b4a45f0b829b@[192.168.0.1]> from Ethan Benson at "Jan 13, 2000 08:06:23 pm"

> On 13/1/2000 Larry Gilbert wrote:
> 
> >
> >Well, it ain't all peaches and cream, at least according to the latest
> >joint press release from the ACLU, the EFF, and EPIC.  There are still
> >some unresolved issues from an open-source standpoint.
> 
> and maybe I am reading it wrong, but it looks like it only allows up 
> to 64 bit symetric crypto and 512 bit PKE keys.  if that is so its 
> not very useful...

*sigh*  

64-bit symmetrical crypto is inadequate for files sitting on a disk,
but as a well-managed session key it gives you:

 - ipsec
 - secure RPC
 - secure NFS
 - Kerberos
 - XDM-AUTHENTICATION-1, SUN-RPC-1 and MIT-KERBEROS5-5 Xauth for
   X windows.
 - encrypted file systems (native, kernel and NFS-based)

and probably other things I can't remember off the top of my head.
IP-sec will take a while to introduce, but secure-RPC, and -NFS 
can be introduced transparently to the user and close arguably
one of the biggest security holes in the real world: NFS-mounted
home directories.

64-bit session keys probably won't stop an irritated government or 
large corporation, but it will stop the script kiddies in their tracks.
And it will be *far* easier for people to develop and test patches
to add larger keys.  Hell, with a good design the product should
be able to ship with 64-bit session keys in one default shared library,
and support for 128-bit session keys in a second shared library which
can be easily swapped out for the first.  I think most if not all
modern wire protocols are designed to handle a variety of key lengths.

Finally, remember that this new policy is not the final word for
all time.  I'm sure that the bureaucrats balanced the calls for
totally unlimited export rules against the apparent indifference of
users to 40-, 48- and 56-bit systems.  If they realize in six months
that every major Linux distribution provides secure-RPC, -NFS,
X authentication, Kerberos, and tentative kernel support for IPSEC
*and* the libraries for 128-bit keys are regularly downloaded from
foreign sites, I doubt that the 64-bit limit would remain for long.
However this requires that our community show a real interest in
security - if we just stand around waiting for Godot many people
would reasonably conclude that there's really no widespread interest
in strong cryptology and the cypherpunks are a nothing but a loud-
mouthed fringe group.

--
Bear Giles
bgiles@coyotesong.com

Reply to:

Follow-Ups:
- Re: US Encryption Policy Change Now Official!
  - From: Ethan Benson <erbenson@alaska.net>

References:
- Re: US Encryption Policy Change Now Official!
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: Most packages that depend on mesa need to be recompiled
Next by Date: Re: US Encryption Policy Change Now Official!
Previous by thread: Re: US Encryption Policy Change Now Official!
Next by thread: Re: US Encryption Policy Change Now Official!
Index(es):
- Date
- Thread