Dear Readers,

If you check the Cipher web pages regularly, you will know that many of the items in this issue have been available for a week or two; my apologies to the authors for not getting this issue out until now, but I think you will find the content worthwhile nonetheless. The next Cipher will appear (I hope!) in mid- to late- September.

A few highlights in the area of security and privacy since the last issue:
In June, a three judge panel in Philadelphia ruled that the US Communications Decency Act indeed violated the US Constitution and issued a preliminary injunction against its enforcement. In July, the Justice Department announced that it would appeal the case to the Supreme Court.

NIST held a workshop on sharing computer vulnerability data; results should be available soon, but in the meantime, Chris Klaus of ISS has devoted a section of his web site to this topic; see

On the countermeasures side, Janet Misich of DISA's Center for Information Systems Security broadcast a call for security products to be placed in their catalog and database; contact her at or (703)681-1345 if you have a product to list.

Also in June, the UK Department of Trade and Industry held a meeting on "Trusted Third Party" proposals; check sci.crypt for a stinging account of it by Ross Anderson. Brian Gladman also distributed comments on the UK's cryptographic policies, suggesting that while the proposals represent progress of a sort, they raise many questions that so far are unanswered. The text of the government's position is said to be available at but I was unable to get through just now. Reports also circulated that the OECD, meeting in Paris June 26-28 to consider cryptography policy, failed to take the next step toward international recognition of key-escrow systems. The group is scheduled meet in Paris again September 26-27.

Inter@ctive Week reported that Trusted Information Systems announced the sale of a system that would support commercial key escrow applications to "a large multinational corporation with headquarters outside the US." The firm was speculated to be Royal Dutch Shell.

The Internet Architecture Board (IAB) and Internet Engineering Steering Group (IESG) also weighed in with a statement on cryptographic policy and the Internet, arguing that restriction on the use of cryptography, on key length, and other controls are against the interest of consumers. The statement favors "ready access to uniform strong cryptographic technology for all Internet users in all countries."

Meanwhile, testimony of luminaries of the cryptographic world was heard on Capitol Hill and via live audio over the Internet concerning the PRO-CODE legislation. No one's opinions seemed to be changing very much, though Netscape has now been permitted to distribute its export-controlled versions electronically. See the New Reports section of this issue for other export-controlled source code made available for electronic distribution since June.

Mastercard and Visa published a new specification for Secure Electronic Transactions (SET). According to some reports, earlier versions of the specification provided less cardholder information to the retail merchant, to prevent fraud, but the current version reflects changes made in response to merchants' complaints and permits them greater access to cardholder data.

Cipher needs your contributions; there have been (and will be, in August) several conferences that I would like to receive reports on, and there are probably others you know about and I don't. Please don't hesitate to write up what you learn that you think will be of general interest and send it in.

Carl Landwehr
Editor, Cipher