On September 16, 1998, Vice President Gore announced a loosening of
restrictions on exporting strong encryption products. Some of the
highlights include: permission to export 56 bit encryption to all but 7
countries following a one-time review, permission to export arbitrarily
strong encryption to 45 countries following a one-time review for the
companies in the sectors of insurance, health and medical (except
biochemical and pharmaceuticals), on-line merchants, and foreign
subsidiaries of U.S. companies. Another change was that companies will
no longer be required to set out a key recovery plan to qualify for
export. Civil liberties groups were less than enthusiastic since the
loosening still restricts export for individual use to 56-bits.
Barry Steinhardt, president of the Electronic Frontier
Foundation called the announcement "a half-step. The reliance on
56-bit crypto is almost laughable."
Industry response was generally more favorable.
Industry spokespersons found it less than they hoped for but a
positive move and used expressions like "a good first step" in
response to the announcement.
The US National Research Council released a report, Trust in
Cyberspace, on September 29th. The report was prepared by a committee
chaired by Fred Schneider of Cornell University and convened under the
Computer Science and Telecommunications Board. The main conclusion of
the report is that the federal government needs to take a lead in
supporting research to bolster the security and reliability of
networked information systems. The report observes the dire need for
research to make the nation's vital services secure and reliable while
noting the absence of incentives for the private sector to conduct this
research. The report also proposes a research agenda to meet these
needs. The released prepublication version of the report contains the
following sections: Introduction, Public Telephone Network and Internet
Trustworthiness, Software for Networked Information Systems,
Reinventing Security, Trustworthy Systems from Untrustworthy
Components, The Economic and Public Policy Context, and Conclusions and
Research Recommendations. It can be viewed on the Web or purchased from
the National Academy Press at
http://www.nap.edu/readingroom/.
Citing concern over the posting of sensitive information on DOD Web
sites, Deputy Secretary of Defense John Hamre announced new guidelines
on what can be posted. He noted the challenge of balancing the
the need to have useful information on those sites while avoiding
providing information that could be dangerous if misused by
"malefactors of various sorts". Data related to military plans, lessons
learned, exercises, known vulnerabilities, unit locations, military
installation information and personal data on service personnel were
all slated for immediate removal by the directive. There will also be a
task force created under the assistant secretary of Defense for C3I to
develop policies governing postings to DOD Web sites as well as DOD use
of the Internet in general.
In August, Netscape and Verisign struck a deal to integrate their PKI
technology. At the same time, the firewall maker Check Point announced
it will incorporate Entrust's PKI technology into its VPN software.
Meanwhile, at the end of July IBM (Lotus, Iris) made their
implementation of the IETF draft standard PKIX available for free
through an MIT Web site
http://web.mit.edu/pfl/. The company intends to
integrate this implementation into their own products and hope that
other vendors will do so as well. Finally, in September Network
Associates announced a partnership with both Entrust and Verisign to
ensure that PKI technology from these companies will smoothly
interoperate with Network Associates' Net Tools. Ceritificates from
both companies as well as from Network Associates' own PGP are planned
to all be compatible when used with Net Tools.
Banks have so far been less than enthusiastic in adopting the use
of SET, (Visa and Mastercard's Secure Electronic Transactions
standard for Internet credit card transactions). To reduce this
reluctance Visa is now waiving standard transaction fees if
both the merchant's bank and the customer's bank are using SET.
Mastercard meanwhile is providing banks with certificate issuing
services that the banks would otherwise need to do themselves
and making SET transactions function in the existing Mastercard
system. On-line Internet merchants have also been hesitant to
move on SET, and it remains to be seen what carrots (or sticks)
will be offered to them.
US loosens crypto export restrictions
NRC Report, Trust in Cyberspace, calls for federally funded research
US Dept. of Defense tightens policy for Web site postings
PKI collaborations, interoperations, and freeware standard
implementations announced
Visa and Mastercard offer incentives for banks to use SET