ietf-smime
[Top] [All Lists]

RE: Restarting the 40-bit debate

1997-05-07 18:14:26
I normally partipate in these discussions as a member of the IETF. I'm going to
depart from that position in this posting and answer as an Innosoft corporate
officer and employee.

I don't believe this.  First, there are many factors involved besides
US export rules -- including the existance of patents and the
licensing practices of certain firms.  PGP has a reputation which
gives it credibility in certain circles and undermines its credibility
in others.  Second, people are shipping strong encryption products
both inside and outside the United States.

I think the point is that within the domain of US commercial for-profit
software companies, strong-encryption-only specs are only going to
appeal to those companies that don't consider their international sales
to be important.

I disagree and I offer the company I work for, Innosoft, as a counterexample.
Innosoft currently implements and sells email products internationally. About
45% of our sales and revenues are non-US. We have numerous international
distributors and we expend considerable effort as a company working with them.
As such, I take it as given that we regard international sales as extremely
important.

Now, as it happens Innosoft also implements strong encryption services for
email (not S/MIME -- this is SASL based transport level stuff) with no
provisions for key escrow and no plans to ever add such provisions, which of
course we then can only sell to the domestic subset of our customer base.

We do not implement weak encryption or key escrow services and have no
intention of doing so -- such services simply do not appeal to us as a possible
product offering. I suppose we might consider adding them if we had a direct
request from an international customer to do so and the customer was fully
aware of the consequences of their use, but I've yet to encounter a customer
that meets these criteria.

In my opinion, these companies are missing out on a large market that
wants products.  We have a large customer base that is non-US,
non-Canada and I certainly don't consider ourselves to be the largest
company out there (which means that the Apples, IBMs and Microsofts of
the world are much more interested in this market than I am).

Our assessment of our customer base is that they are a pretty savvy lot. They
absolutely do want encryption products, in fact they want them desperately and
they hammer on us constantly to provide them, but they aren't interested in
products that only implement weak encryption. And they absolutely do know the
difference -- I'm sorry, but I've worked on far too many RFPs that demonstrate
such knowledge in abundance to believe otherwise. In fact it's hard enough
trying to sell our domestic customers on strong encryption after they've read
somewhere that such-and-such or so-and-so has been compromised, let alone weak
encryption where every week it seems there's another result showing how easy it
is in practice to break.

The best we could hope for were we to offer weak encryption internationally
would be for them to dismiss us as naive fools. A more likely outcome,
unfortunately, would be for them to reassess us as knaves trying to sell them a
pig in a poke. Either way it falls out this isn't an acceptable tradeoff for
us. I suppose we might win in the short term with our less informed customers
but we'd lose in the long run, because people have a way of finding these
things out. And besides, we have a high degree of committment to our customers
to provide them with the best technology that's available, and weak encryption
does exactly qualify here. 

My view of standards requiring weak crypto is that they are simply a last-ditch
attempt to generate credibility for these sorts of solutions in the marketplace
so that US companies can sell inadequate products to international clientele.
Unfortunately the lack of credibility of such solutions is inherent in the
solutions themselves so no amount of standards sanction is going to help. In
the end all such sanctioning will do is cause a loss of credibility in the
standards process itself.

The long and short of it is that US manufacturers have been boxed in by the
actions of the US government, and the idea that standards will make weak
encryption acceptable is really nothing but wishful thinking. This I believe to
be the cold, hard, reality, a situation I estimate is costing Innosoft around
half a million dollars a year at the present time in lost revenue (more as we
continue to grow, of course), and also a situation that our offering weak
encryption products won't change appreciably. And while I (naturally) have
enormous sympathy for other companies caught in the same bind as we are, this
doesn't mean I'm willing to ignore the evidence of my own experience and
endorse the use of weak encryption in standards track documents. My sincere
belief is that this is simply not in my company's best interest. (I've argued
elsewhere with my IETF hat on that it isn't in the IETF's best interest
either.)

It seems that US companies with an interest in international sales may
be a large faction of the overall IETF membership, but I might be wrong.

I suspect you are quite right in your demographics of the participants here,
but as my example shows, your assessment of what necessarily follows from this
isn't right in at least one case that I have knowledge of.

                                Ned