[Top] [All Lists]

Re: Restarting the 40-bit debate

1997-05-07 17:08:03

From: Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>
Date: Wed, 07 May 1997 17:40:16 -0400

I think the point is that within the domain of US commercial for-profit
software companies, strong-encryption-only specs are only going to
appeal to those companies that don't consider their international sales
to be important.

In my opinion, these companies are missing out on a large market that
wants products.  [...]

It seems that US companies with an interest in international sales may
be a large faction of the overall IETF membership, but I might be wrong.

You seem to be of the opinion that IETF exists to provide market
opportunities to US companies.  You also seem to be of the
opinion that US companies are somehow "members" of IETF.
Finally, you seem to believe that IETF's mission is to endorse
the Clinton administraton's cryptography policy by
developing standards which are consistent with that policy.

None of these is consistent with IETF policy.

IETF is international in scope and does not exist to favor US
companies in any way, regardless of how they might be impeded by
their government.

IETF is not a membership organization, and does not recognize
companies as members. IETF policy is that individuals, not
representatives of organizations, are the technical
contributors to its working groups.  [see RFC 1603, sect 1.0,
next to last paragraph]

IETF emphatically does not endorse the policies of
governments that prohibit use of encryption, restrict the
export of cryptographic  technology, or restrict key lengths,
or mandate government recovery  of keys.  [see RFC 1984]

At the last IETF a presentation was given showing IETF meeting
attendance verses location. When meetings were held outside
of North America attendance was low. In San Jose, attendance
was high. Both lows and highs were compared against meetings
held in other North American cities. I suspect from that data,
my own meeting attendance, and cursory examination of
messages, American companies do compose a substantial
percentage of IETF participants.

The IETF may not endorse crypto policies such as the US
Government's but those policies do have an impact on the work
coming out of the IETF. For example, TLS includes 40 bit crypto.
The GSS-API SESAME mechanism proposal includes 40 bit crypto.
The IPsec group made the 56 bit DES-CBC ESP transform mandatory
to make a political statement to the United States government
and to encourage US companies to put pressure on the government
to relax export restrictions; however, a 40 bit ESP transform
draft was recently submitted. S/MIME, I remember reading in a
document from RSA's Web site, includes 40 bit crypto due to US
export restrictions and the desire to have an international
interoperabe base, though S/MIME is not an IETF standard.

I think the conclusion that US export policies influence
standards is fair.

If you're trying to achieve such ends, you're in the wrong