This is a crow-meat lunch, folks.
On Monday, December 13th, NAI issued a press release which announced
that, effective immediately, the U.S. Government had granted NSA a license
for international sales of PGP without restriction, except for the
traditi0nal outlaw state exclusions. See:
<http://biz.yahoo.com/prnews/991213/ca_network_1.html> or
<http://www.computerworld.com/home/news.nsf/CWFlash/9912131nai>
NAI hailed its export permit as a "landmark" in US crypto politics,
and seemed to imply, rather than state, that its permit covered the whole
suite of enterprise-security products which have been re-labelled as NAI's
PGP suite.
"PGP encryption and authentication technology," noted to the press release,
ship today "in several consumer and enterprise-class products. PGP Data
Security secures all email, disk, file and network communications between
businesses."
I was in a catankerous mood, and the NAI claims -- particularly for
"enterprise-class" crypto systems like VPNs -- seemed to promise strong
crypto outside the "retail" class of products I expect will become
unrestricted in the new BXA export regs to be announcedin January, so I
growled and grumped. I also fired off a couple of posts which expressed
suspicion that NAI's PR was over-stating its new export perameters, or
perhaps, was not acknowledging what I suspected was a requirement that any
"enterprise-class" crypto products ship with NAI's third-party key-recovery
system (Management Access Key) irreversibly enabled for communcations systems.
Well, according to several private notes I have received from NAI --
including a more courteous missive than I deserved from Mark J. McArdle,
NAI's VP for PGP Product Development -- I was simply wrong.
Although there seems to be some lingering confusion about how the
BXA regs will address the boundries between mass market and "retail
products" -- and while international consumer access to strong crypto
products seems likely to be a moot issue, there is still concern about
crypto sales to network providers and any overseas entity with government
ties, and leveraged products like crypto developers' toolkits -- NAI
officials feel that the opponents of crypto export controls have won. Period.
I can only say I am delighted if this proves to be the case. NAI's
extended PGP license does indeed seem to be a landmark... for PGP, NAI, BXA,
the Gore campaign, and all the rest of us!
I won't bother to raise again the old debate about MAK/Key-Recovery
demand in the corporate market, but -- according to NAI -- PGP suite NAI
will be exporting apparently do not require MAK to be locked in on any
products. Configuration is left to the customer.
NAI's VPN client (PGPnet), an integrated component of the PGP
desktop, will also be shipped full strength, and it is a peer to peer, as
well as peer to gateway, client. As one NAI spokeman put it: "Not only is
it strong crypto, it's only strong crypto. It does not support single DES."
My humble apologies for my public and sardonic skepticism.
Suerte,
_Vin
Vin McLellan
The Privacy Guild
-----------------------------------------
-----------------------------------------
Vin McLellan wrote:
> I am more than willing to assume that NAI's relationship with the
US >government is good enough that it got a little head start in obtaining a
license >to offer classic full-strength PGP as "retail" mass-market crypto.
>
> This is what the rest of the crypto industry expected to get in the
new >Clinton/Gore BXA policy on crypto exports that had been scheduled to
be >announced today, I think. (That announcement is now delayed until Jan.
>14th, last I heard.)
>
> But full-strength "enterprise-class products" -- VPNs, etc. --
without the > "key recovery" backdoor locked in and locked open?
>
> Wow! sez me... hopefully (but very doubtfully.) PHil rUlz!
------- earlier message ---
> Unless I missed something big in D.C., I presume this is simply the
>announcement of a pro-forma bulk export license for PGP (and the
>repackaged PGP Enterprise Security Suite?) for Business.
>
> And, although it is difficult to discert amid all the
self-congratulatory >hoopla, I also presume that NAI's "flagship technology"
will only be exported >outside the US with the "option" for what NAI often
obliquely refers to as >"additional encryption keys" -- third-party (
i.e., government and >management) access to all encrypted communications --
irreversibly locked >ON in a binary-only format.
>
> Much ado about nothing for consumers and most corporate buyers,
>right?
>
> (Which is not to deny that such a license might speed up and make
>shipping shedules more predictable for those ordering these products and or
>shipping these packages overseas. I think NAI's earlier blanket license
for >shipping key-recovery-ON versions of PGP for Business to US overseas
>branch offices and subsidiaries did just that two years ago.)
>
> Fine for folks who want, or need, or are required to build third
party >access into their infrastructure for handling encrypted employee
email, files, >or SSL and VPN sessions -- but somewhat too MAKed and GAKed
for most of >the rest of us.
>
> Corrections (and appropriate chastisement for my bantering tone) will
>be gratefully accepted. In this, I'd love to be wrong.
