In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Johnny Bravo) wrote:
> On Tue, 21 Sep 1999 01:43:55 GMT, Greg <[EMAIL PROTECTED]> wrote:
>
> >So what if the Clinton Administration says that they will allow
> >128 bit encryption to be exported? It still requires government
> >licensing- that is, NSA must review the software. Now think about
> >that for a minute. What market exists today anywhere in the world
> >for use of 128 bit compromised (by definition of NSA examination)
> >encryption software?
>
> Examination by the NSA does not define compromised. Is Blowfish
compromised
> because the NSA can examine the code? No truly secure cipher will be
> compromised by allowing a potential attacker to examine it. If the
NSA can
> order changes in the product before release you have a different
problem, at
> that point the software becomes a trojan.
The purpose of pre-export review is to allow NSA to require changes in
the code prior to export, and/or to discriminate against some exporters
on political or technical grounds.
If their goal was merely to understand what was being exported, that
could easily be accomplished by requiring delivery of code to them
contemporaneously with the export. (I think there are First Amendment
problems here, but let's ignore them for the moment.)
We can only expect that NSA wants the ability to delay or refuse some
exports because they anticipate that they will use that ability from
time to time. Are there any legitimate reasons for them to do so? The
only one I can imagine is where they discover an implementation where a
defect has weakened security, and they want to alert the publisher to
the existence of the defect so it can be corrected prior to publication
- but that's so diametrically opposed to their current practice that I
can't consider that a credible scenario. Are there others?
