Wired: US To Follow EU Crypto Lead

Owen Lewis oml at eloka.demon.co.uk
Wed, 7 Jun 2000 12:49:53 +0100 

----- Original Message -----
From: "Brian Gladman" <brian.gladman@btinternet.com>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: 08 June 2000 00:07
Subject: Re: Wired: US To Follow EU Crypto Lead


> ....... It has never been difficult to obtain
> encryption products for specialist use but the companies that provide
'mass
> market' software applications for international use have been forced by
> cryptography export controls to deliver deliberately weak cryptography.

True pre-PGP, but now? Even pre-PGP, the 'leaning on' was only possible
because there were but a handful of good producers in each of but a handful
of countries. For those producers, national govts represented (say) 90 % of
their market, giving those govts an effective stranglehold commercially.

IMO what changed is that computers gor smaller, faster and cheaper. once
that happened, there was no longer any necessity to rely on purpose built
expensive crypto-hardware . Hence PGP and other software cryptosystems which
cannot be as effectively controlled at the point of production.

> Finding a country in which to locate in order to offer cryptographic
> products without facing export controls has never been difficult and this
> leaves me unconvinced that such moves tackle the real problem.

It is convenient, relatively cheap and avoids the risk of continual hassle.
I'd say it has to be an attractive option to any producer without an
associated politico-social agenda.

>Encryption
> in mass market products could be provided in this way if all such products
> had a 'crypto shaped hole' in them (thanks to Stefek for this description)
> but preventing this is one of the constraints that the US has been
fighting
> hard to retain.  It will be interesting to see if this is dropped in the
> current round of relaxations.

Yes, it will.

> When I have complained to NSA and GCHQ about the impact of their crypto
> export controls on our ability to provide good security for internet users
> they have often responded that the real issue is not export controls but
the
> low value that end users place on security.  I believe there is a lot to
be
> said in favour of their view (when not used as an excuse for continuing
with
> export controls)

I agree. But the uncomfortable truth is that good security costs money.
Having security never made anyone a penny's profit. Security is always a
drain on the bottom line. At the best, security protects profitability (the
ability to make profit); at the least it provides an assurance of due care.
And, yes, security remains my trade.

> and this means that we must now start on the much harder
> tasks of (a) convincing end users that security matters and that this is
> something that they can never have if ***they*** don't care about it, (b)
> convincing suppliers (and governments) that delivering effective security
> is ***really*** hard and that 'security through obscurity' is not an
option,
> and (c) ensuring that efforts that undermine the provision of security,
> safety and privacy for honest, law abiding users do not succeed (e.g.
> providing cryptographic and steganographic solutions that ensure that GAK
in
> RIP provisions are ineffective if applied to keys owned by honest, law
> abiding citizens).

The b*gger is how to provide for the majority need without providing also
aid and succour to the minority whose intent on harm. Despite all the
paranoia and conspiracy theories, I believe that KE and GAK in RIP are
honest attempts to address this problem but there needs to be a better way.
I remember saying as much in a paper for the Law and Computer Security
Bulletin in 1991, when KE was a glimmer only in the US eye. Nine years and
how much further forward are any of us?

Owen