[Top] [All Lists]

RE: Restarting the 40-bit debate

1997-05-07 13:41:14
On Wednesday, May 07, 1997 9:44 AM, Keith Moore 
As much as we may hate it, the US Government's refusal to let US
developers ship mail software with stronger security has pretty much
prevented all developers, inside the US and outside, from
implementing strong-encryption-only specs like PGP/MIME. 

I don't believe this.  First, there are many factors involved besides
US export rules -- including the existance of patents and the
licensing practices of certain firms.  PGP has a reputation which
gives it credibility in certain circles and undermines its credibility
in others.  Second, people are shipping strong encryption products
both inside and outside the United States.

I think the point is that within the domain of US commercial for-profit
software companies, strong-encryption-only specs are only going to
appeal to those companies that don't consider their international sales
to be important.

In my opinion, these companies are missing out on a large market that
wants products.  We have a large customer base that is non-US,
non-Canada and I certainly don't consider ourselves to be the largest
company out there (which means that the Apples, IBMs and Microsofts of
the world are much more interested in this market than I am).

It seems that US companies with an interest in international sales may
be a large faction of the overall IETF membership, but I might be wrong.

I think it behooves us to come out with a spec that can be widely
implemented but does not force weak encryption.

People can define and use weak encryption algorithms if they want to.
However, I sincerely doubt that something as weak as 40 bits can be
considered of sufficient quality for the Internet standards track.

In these discussions I always end up at the same point.  Why is there no
differentiation between a spec that allows the OPTION of using a weak
algorithm, versus a REQUIREMENT of using a weak algorithm?  The argument
was presented here before that in the event that something is specified
as OPTIONAL, in practice it is always implemented, and thus everyone
will be using the weak algorithm.  I don't understand how people could
make money with such a product, since competitive products that didn't
take the "easy way" would stomp them because of the shortcoming.