[Top] [All Lists]

Re: Restarting the 40-bit debate

1997-05-07 18:23:07
At the last IETF a presentation was given showing IETF meeting
attendance verses location. When meetings were held outside
of North America attendance was low. In San Jose, attendance
was high. Both lows and highs were compared against meetings
held in other North American cities. I suspect from that data,
my own meeting attendance, and cursory examination of
messages, American companies do compose a substantial
percentage of IETF participants.

Companies, whether they're based the United States or otherwise, 
don't participate in IETF working groups.  Individuals do.  
Those individuals cannot be assumed to represent the companies
they work for, and at any rate, IETF doesn't recognize such 

And while there are indeed many IETF participants from the United 
States, there is no reason to assume that anything remotely 
resembling a consensus of those participants, support the 
interests of US companies that want to export weak cryptography.

The IETF may not endorse crypto policies such as the US
Government's but those policies do have an impact on the work
coming out of the IETF. For example, TLS includes 40 bit crypto.
The GSS-API SESAME mechanism proposal includes 40 bit crypto.
The IPsec group made the 56 bit DES-CBC ESP transform mandatory
to make a political statement to the United States government
and to encourage US companies to put pressure on the government
to relax export restrictions; however, a 40 bit ESP transform
draft was recently submitted.

All of the examples you give are merely proposals.  
None of them has been approved for the Internet standards track.

S/MIME, I remember reading in a
document from RSA's Web site, includes 40 bit crypto due to US
export restrictions and the desire to have an international
interoperabe base, though S/MIME is not an IETF standard.

S/MIME is not a standard in any formal sense -- that's just a 
term that RSA likes to use to encourage people to buy in to it.
Even calling it a de facto standard would be a stretch.
If S/MIME is a standard, so is PGP.