TUCoPS :: Crypto :: csspab.txt

NIST Privacy Board Resolutions on Clipper technology

The Computer System Security and Privacy Advisory Board devoted its
June 2-4 meeting to the issue of the Administration's recently
announced government-developed key escrow encryption chip (called
"Clipper chip" in the April 16 announcement) and, more broadly, to
public use of cryptography and government cryptographic policies
and regulations.  All sessions were open to the public.

This posting contains the resolutions passed at that meeting as
well as the cryptographic issue statements received by the Advisory
Board via e-mail.  Hard copies of all of the statements submitted
by the public are available by written request to:  Mr. Lynn
McNulty, Executive Secretary and Associate Director for Computer
Security, Computer Systems Laboratory, National Institute of
Standards and Technology, Building 224, Room B154, Gaithersburg,
Maryland 20899.  

The Advisory Board was established by the Computer Security Act of
1987 (P.L. 100-235) to advise the Secretary of Commerce and the
Director of NIST on security and privacy issues pertaining to
Federal computer systems and report its findings to the Secretary
of Commerce, the Director of the Office of Management and Budget,
the Director of National Security Agency, and the appropriate
committees of the Congress.  



			  June 4, 1993

At Mr. Kammer's request we have conducted two days of hearings. 
The clear message of the majority of input was that there are
serious concerns regarding the Key Escrow Initiative and the Board
concurs with these concerns.  Many of these issues are still to be
fully understood and more time is needed to achieve that

Accordingly, this Board resolves to have an additional meeting in
July 1993 in order to more completely respond to Mr. Kammer's
request and to fulfill its statutory obligations under P.L. 100-
235.  The Board recommends that the inter-agency review take note
of our input collected, our preliminary finding, and adjust the
timetable to allow for resolution of the significant issues and
problems raised.

Attached to this resolution is a preliminary distillation of the
serious concerns and problems.  


FOR:      Gallagher, Gangemi, Lambert, Lipner, Kuyers, Rand,
	  Whitehurst, and Zeitler

AGAINST:  none 

ABSTAIN:  none




			  June 4, 1993

-    A convincing statement of the problem that Clipper attempts to
     solve has not been provided. 

-    Export and import controls over cryptographic products must be
     reviewed.  Based upon data compiled from U.S. and
     international vendors, current controls are negatively
     impacting U.S. competitiveness in the world market and are not
     inhibiting the foreign production and use of cryptography (DES
     and RSA).

-    The Clipper/Capstone proposal does not address the needs of
     the software industry, which is a critical and significant
     component of the National Information Infrastructure and the
     U.S. economy.

-    Additional DES encryption alternatives and key management
     alternatives should be considered since there is a significant
     installed base.  

-    The individuals reviewing the Skipjack algorithm and key
     management system must be given an appropriate time period and
     environment in which to perform a thorough review.  This
     review must address the escrow protocol and chip
     implementation as well as the algorithm itself.    

-    Sufficient information must be provided on the proposed key
     escrow scheme to allow it to be fully understood by the
     general public.  

-    Further development and consideration of alternatives to the
     key escrow scheme need to be considered, e.g., three "escrow"
     entities, one of which is a non-government agency, and a
     software based solution.  

-    The economic implications for the Clipper/Capstone proposal
     have not been examined.  These costs go beyond the vendor cost
     of the chip and include such factors as customer installation,
     maintenance, administration, chip replacement, integration and
     interfacing, government escrow system costs, etc.  

-    Legal issues raised by the proposal must be reviewed.

-    Congress, as well as the Administration, should play a role in
     the conduct and approval of the results of the review.  




			  June 4, 1993

Key escrowing encryption technology represents a dramatic change in
the nation's information infrastructure.  The full implications of
this encryption technique are not fully understood at this time. 
Therefore, the Board recommends that key escrowing encryption
technology not be deployed beyond current implementations planned
within the Executive Branch, until the significant public policy
and technical issues inherent with this encryption technique are
fully understood.  

FOR:  Gangemi, Lambert, Lipner, Kuyers, Rand, Whitehurst, & Zeitler

AGAINST:  Gallagher

ABSTAIN:  none

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH