TIS Labs Unveils New Digest Algorthm

Network Associates' TIS Labs introduced a new mechanism for producing CRYPTO digests, called triple-Daves. While it is based on variations on single-Daves, which can be perfectly adequate for many purposes, the results of this combined approach seem very positive. See
related story.

US loosens crypto export restrictions

On September 16, 1998, Vice President Gore announced a loosening of restrictions on exporting strong encryption products. Some of the highlights include: permission to export 56 bit encryption to all but 7 countries following a one-time review, permission to export arbitrarily strong encryption to 45 countries following a one-time review for the companies in the sectors of insurance, health and medical (except biochemical and pharmaceuticals), on-line merchants, and foreign subsidiaries of U.S. companies. Another change was that companies will no longer be required to set out a key recovery plan to qualify for export. Civil liberties groups were less than enthusiastic since the loosening still restricts export for individual use to 56-bits. Barry Steinhardt, president of the Electronic Frontier Foundation called the announcement "a half-step. The reliance on 56-bit crypto is almost laughable." Industry response was generally more favorable. Industry spokespersons found it less than they hoped for but a positive move and used expressions like "a good first step" in response to the announcement.

NRC Report, Trust in Cyberspace, calls for federally funded research

The US National Research Council released a report, Trust in Cyberspace, on September 29th. The report was prepared by a committee chaired by Fred Schneider of Cornell University and convened under the Computer Science and Telecommunications Board. The main conclusion of the report is that the federal government needs to take a lead in supporting research to bolster the security and reliability of networked information systems. The report observes the dire need for research to make the nation's vital services secure and reliable while noting the absence of incentives for the private sector to conduct this research. The report also proposes a research agenda to meet these needs. The released prepublication version of the report contains the following sections: Introduction, Public Telephone Network and Internet Trustworthiness, Software for Networked Information Systems, Reinventing Security, Trustworthy Systems from Untrustworthy Components, The Economic and Public Policy Context, and Conclusions and Research Recommendations. It can be viewed on the Web or purchased from the National Academy Press at http://www.nap.edu/readingroom/.

US Dept. of Defense tightens policy for Web site postings

Citing concern over the posting of sensitive information on DOD Web sites, Deputy Secretary of Defense John Hamre announced new guidelines on what can be posted. He noted the challenge of balancing the the need to have useful information on those sites while avoiding providing information that could be dangerous if misused by "malefactors of various sorts". Data related to military plans, lessons learned, exercises, known vulnerabilities, unit locations, military installation information and personal data on service personnel were all slated for immediate removal by the directive. There will also be a task force created under the assistant secretary of Defense for C3I to develop policies governing postings to DOD Web sites as well as DOD use of the Internet in general.

PKI collaborations, interoperations, and freeware standard implementations announced

In August, Netscape and Verisign struck a deal to integrate their PKI technology. At the same time, the firewall maker Check Point announced it will incorporate Entrust's PKI technology into its VPN software. Meanwhile, at the end of July IBM (Lotus, Iris) made their implementation of the IETF draft standard PKIX available for free through an MIT Web site http://web.mit.edu/pfl/. The company intends to integrate this implementation into their own products and hope that other vendors will do so as well. Finally, in September Network Associates announced a partnership with both Entrust and Verisign to ensure that PKI technology from these companies will smoothly interoperate with Network Associates' Net Tools. Ceritificates from both companies as well as from Network Associates' own PGP are planned to all be compatible when used with Net Tools.

Visa and Mastercard offer incentives for banks to use SET

Banks have so far been less than enthusiastic in adopting the use of SET, (Visa and Mastercard's Secure Electronic Transactions standard for Internet credit card transactions). To reduce this reluctance Visa is now waiving standard transaction fees if both the merchant's bank and the customer's bank are using SET. Mastercard meanwhile is providing banks with certificate issuing services that the banks would otherwise need to do themselves and making SET transactions function in the existing Mastercard system. On-line Internet merchants have also been hesitant to move on SET, and it remains to be seen what carrots (or sticks) will be offered to them.