At 09:01 AM 4/17/97 -0700, Steve Dusse wrote:
If DES is a MUST then US software companies will have a difficult time
exporting S/MIME-compliant products.
Well you can always just give those government workers what they ask for,
40 bit DES :) I never ment to imply that we can't play mind games too.
Unless there is something about S/MIME that I missed, but a key escrow of
the encrypting certificate would meet the gov's brain-dead key recovery
requirement. An S/MIME vendor could present an implementation that shows
key recovery working through a CA's key escrow and get out that way. Nah,
that would be too easy... Afterall, there is no reason for me to use key
escrow (actually not in this case), so it is not the S/MIME implementors
fault that i do not provide the key recovery.
WAIT A SECOND! Is there a red herring lurking here? How could a vendor
get an export license when DES is not a MUST. That must mean that the
current MUST crypto is weak enough that it passes the 40 bit export rule.
From: Robert Moskowitz[SMTP:rgm3(_at_)chrysler(_dot_)com]
Sent: Wednesday, April 16, 1997 6:20 PM
To: Peter Whittaker; 'SMIME Dev List'; 'SMIME IETF'
Subject: Re: Alternative symmetric algorithm freely available for
(re: RC2 licensing).
At 11:10 AM 4/16/97 -0400, Peter Whittaker wrote:
It has been suggested that the IETF consider specifying an alternative
"MUST" symmetric encryption algorithm in its version of S/MIME. One of
the alternatives is CAST. Entrust Technologies announced in January that
it was making CAST available. From the press release:
I was at US Customs today discussing some issues regarding secure
communications between Customs and the 'Big 3'. It was clear that it would
be hard to ge anything through over there that did not support a FIPS
As I recall, DES was SHOULD. From what I learned today, I'd say that DES
is MUST. And when AES is done then, well I'm not so sure of that....