Re[4]: VerSecure - "strong encryption" exportable from t

Stewart Baker sbaker at steptoe.com
Sun, 1 Mar 1998 16:39:37 -0500 

     

Brian's response strikes me as overwrought.  HP and everyone else who sells 
crypto hardware faces a market where there are many countries with controls and 
many without, and several that seem to be moving from one status to the other, 
or otherwise changing policy.  Making many different products that can't 
interoperate is possible, of course, but not exactly what made the PC market 
take off.  

The Holy Grail is a security device that can be sold and installed everywhere 
without regard to special crypto regimes or changing policy.  HP's solution is 
pretty close to that, since any applicable controls can be left to a quick and 
flexible downloaded token, while the product and the hardware can go everywhere.
 

I don't think this a conspiracy, just  a practical busnessman's way to get a 
ubiquitous security architecture actually deployed.  And probably the only way, 
unless everyone thinks that Brian's libertarian views will suddenly sweep the 
world -- and in time to ship in 2Q98.
______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: VerSecure - "strong encryption" exportable from t
Author:  <ukcrypto@maillist.ox.ac.uk > at INTERNET
Date:    3/1/98 4:29 AM


-----Original Message-----
From: Stewart Baker <sbaker@steptoe.com>
To: ukcrypto <ukcrypto@maillist.ox.ac.uk>; ukcrypto 
<ukcrypto@maillist.ox.ac.uk>
Date: 01 March 1998 07:49
Subject: Re[2]: VerSecure - "strong encryption" exportable from the U
     
     
>
>     Actually, once the ability to generate the tokens is exported (and 
that's
>     what's been approved for the five countries), the US can't control the 
kind
>     of crypto that is activated.  The UK can.  It can  change policy and 
decide
>     to restrict what crypto is enabled.  But if commercial buyers think 
such a
>     change is likely, that's probably a reason for commercial buyers to be 
>     interested in Versecure, not a reason to stay away.
>
>     Commercial users won't thumb their nose at UK law.  So if they bought 
>     hardwired crypto they'll have to throw out anything that doesn't 
conform to
>     the new law unless they've got a flexible system like this.
     
I agree here but there are no laws in the UK restricting the use of 
cryptography other than in very limited domains (e.g. amateur radio). 
Moreover the current UK government has been very explicit in saying that, 
whatever its new policy is, it will ***not*** impose any constrants on the 
domestic use of crypography.
     
I have lived with the HP ideas for nearly 5 years now and I know them pretty 
well.  I do not doubt their technical quality (although I have not looked at 
this in any detail) but in my view HP have not paid sufficient attention to 
the political implications of their thinking.
     
The main problem with the HP approach is that it is designed to put control 
of any cryptography it offers in the hands of entities known as the 
"Security Domain Authorities".  Although in principle this authority need 
not rest with government, as far as I can tell HP has been promoting its 
concept in the belief that this authority ***will*** rest with government. 
It has certainly been in discussion with UK government representatives, 
including some from GCHQ, on just this possibility.
     
Now why is it, with the US and the UK governments involved, and with NSA and 
GCHQ sitting in the background, that I somehow doubt that HP is doing us all 
a favour?
     
More seriously, however, what right has HP got to offer the UK government 
the ability to control the domestic use of cryptography in the UK when there 
is absolutely no basis in law for any such control in the first place?
     
This seems to me to be a very dangerous tactic for HP in that it can now be 
seen to intervene to support government controls on domestic cryptography in 
th UK in a situation where no-one in the UK wants this and even the 
government, in public at least, agrees.
     
I do not mind HP pushing ICF, nor do I mind if they set up an SDA for it the 
UK.  But I ***do*** mind that they should offer this role to the UK 
government, whose record in acting in the interests of its citizens in this 
area is open to doubt.
     
If HP really has offered the UK government the ablity to control the 
domestic availability and use of cryptography here in the UK then I would 
consider this a conspiracy between HP and the UK government to undermine the 
democratic rights of UK citizens.   Moreover any company taking this up 
cryprography in this form risks becoming a party to this conspiracy.
     
If this is going on (and I, for one, hope it is not as I would rather like 
to go on buying HP laser printers!) then HP is on very, very dangerous 
ground.
     
I do think, as a matter of urgency, that HP should 'come clean' in public on 
its actions and intentions here and I hope that those of you on this list 
who are in the media will encourage them to do so.
     
  Brian Gladman