I'm don't think that Steve is wrong in his wording that "the goals of
the IETF are out of step with US companies' business needs". Consider
the following:
1. US companies need to sell products outside the US and Canada
2. The current discussion about removing RC2 40-bit is about removing
the necessary component from the specification that would allow this
I don't know how more accurate his statement could be.
And it's not just "expedited" export of a product that is afforded by
having RC2 40-bit -- if you use anything else and you get approval, it
is contingent on providing information about each of the customers you
have sold the product to. This is, in short, enough paperwork to negate
the effort, especially if you have any kind of distribution channel,
bundling, or any other non-direct sales where end-user accountability is
not possible.
This policy may have changed, and if any evidence of this is presented
through my other email thread we can discuss the possible replacement of
RC2 40-bit. In that thread, I asked if there was any algorithm that met
the US export requirements and was not an insurmountable administrative
burden to sell as an S/MIME product. We'll see if anything comes up.
In any case, this is the business need, and it appears that the IETF
wants to head the spec in a different direction. That's why Steve (and
I) believe that it is out of step.
Blake
-----Original Message-----
From: Paul E. Hoffman [SMTP:phoffman(_at_)imc(_dot_)org]
Sent: Thursday, April 17, 1997 4:18 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: RE: Alternative symmetric algorithm freely available
forIETFS/MIME
(re: RC2 licensing).
At 3:45 PM -0700 4/17/97, Steve Dusse wrote:
If there is agreement, then I
will stand by my earlier conviction; the goals of the IETF are out of
step with US companies' business needs.
I disagree strongly with your wording. There is no "need" for expidited
export of a product; there is a strong desire. To be more specific, there
is a strong desire for a small number of companies (mail client
manufacturers) for expeditied export.
There is a strong need for strong cryptography in all US companies for
their messaging. This is why RSA included tripleDES in the original S/MIME
spec. Thus, the goals of the IETF are exactly step with US companies'
business needs, with the exception of a few companies.
As such, we should find a way
to separate the non-business protocol portions of the S/MIME spec from
the US business-needs-centric profiling information.
Again, I disagree with your wording. In my mind, a better way to say this
is "we need a spec that meets US companies' business needs, and we need to
also at least acknowledge the strong desires of US mail client vendors."
Further, I'd like to point out to the group as a whole that just because
other countries don't have export controls today, they might tomorrow. The
lame ideas of the US government are often imported gleefully by other
governments. Thus, the 40-bit crypto problem is temporarily US-only. It
could go away in the US, it could appear in other major software-exporting
countries, or both.
--Paul E. Hoffman, Director
--Internet Mail Consortium