t byfield on Sun, 28 Jun 1998 19:53:35 +0200 (MET DST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> US FIPS project falters |
<http://jya.com/gak-fails.htm> 26 June 1998 ---------------------------------------------------------------------------- Date: Fri, 26 Jun 1998 16:03:34 -0500 To: John Young <[email protected]> From: Alan Davidson <[email protected]> Subject: Fips Flop John, Thought you might be interested in this for Cryptome. The final letter from NIST's Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure is attached below. Regards, Alan Alan Davidson, Staff Counsel 202.637.9800 (v) Center for Democracy and Technology 202.637.0968 (f) 1634 Eye St. NW, Suite 1100 <[email protected]> Washington, DC 20006 PGP key via finger ----------------- U.S. effort on encryption "backdoors" ends in failure By Aaron Pressman WASHINGTON, June 25 (Reuters) - A U.S. government panel has failed in a two-year effort to design a federal computer security system that includes "back doors," a feature that would enable snooping by law enforcement agencies, people familiar with the effort said this week. The failure casts further doubt on the Clinton administration policy -- required for government agencies and strongly encouraged for the private sector -- of including such back doors in computer encryption technology used to protect computer data and communications, according to outside experts. But administration officials said the panel, which is set to expire in July, simply needed more time. <...> The 22-member panel appointed by the secretary of commerce in 1996 concluded at a meeting last week that it could not overcome the technical hurdles involved in creating a large-scale infrastructure that would meet the needs of law enforcers, panel members said. The group was tapped to write a formal government plan known as a "Federal Information Processing Standard," or FIPS, detailing how government agencies should build systems including back doors. In a letter to Commerce Secretary William Daley obtained by Reuters, the panel said it "encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS." "Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology," the group added. "The attached document does not satisfy these criteria." The group is formally known as the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure, but with the unwieldy acronym of TACDFIPSFKMI, members of the panel jokingly referred to themselves as "Bob." The failure after two years to write a FIPS vindicates the view of critics of the administration's encryption policy, said Alan Davidson, staff counsel at the Center for Democracy and Technology, a nonprofit advocacy group. "The administration keeps spending taxpayer money to pursue a ... strategy that's wrong-headed and won't protect security," Davidson said. "Its own advisory committee can't answer basic questions about how to make it work for the government, yet they continue to push for its adoption by everyone, worldwide." <...> Bruce Schneier, a leading cryptography researcher and critic of the government policy, said the FIPS panel failed because of the impossibility of meeting the needs of both law enforcers and industry. <...> But Edward Roback, an official with the U.S. National Institution of Standards and Technology who worked closely with the panel, said the technical problems the group encountered were surmountable with more time. <...> Friday, 26 June 1998 14:17:59 RTRS [nN25122338] ------------------------------------------------------------------------ Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. ------------------------------------------------------------------------ Final Letter From the National Instititue of Standards and Technology (NIST) Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure June 19, 1998 ------------------------------------------------------------------------ Dear Mr. Secretary: We respectfully submit the attached technical input from the "Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure" (TAC) for Requirements for Key Recovery Products. The TAC is cognizant of the steps you are obligated to take under various statutes and policies to seek public comment in making your determination about implementing a Federal Information Processing Standard. However, the TAC believes significant, substantive additional work is necessary before this document will be ready for the next step in the process. Specifically, we believe that this document is not ready to be released for public comment, to be used as a basis for generation of answers to policy questions relevant to a FIPS, or to begin planning for development of implementation guidance. With regard to this latter topic, we suggest initiating work on detailed implementation guidance, once this document is completed. Such guidance will be essential to the successful deployment of any key recovery system (KRS), since many aspects of KRS security are outside the scope of the work we have undertaken. We also urge pursuit of conformance testing based on the NVLAP model, e.g., as employed for FIPS 140-1. Because of the complexity and security sensitivity of KRS technology, we do not support vendor self-declaration of conformance. The TAC has made substantial progress and a completed version of the work begun here could provide a basis for the development of a FIPS. However, the TAC encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS. There are unresolved conflicts among some requirements. In addition, the model that underlies the product evaluation process is not yet complete. In retrospect, the time and effort devoted to this task were not sufficient to develop an adequate set of technical requirements for a FIPS. Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology. The attached document does not satisfy these criteria. The TAC understands that its charter expires in July of 1998. However, the TAC has gained much experience during this process, and is willing to continue to work towards the completion of its initial charge. As you know, TAC members were appointed for their individual expertise. The actions of the TAC do not have the explicit or implicit endorsement of the corporations or organizations with which its members are affiliated. On behalf of the TAC, we hope that you find our efforts have been useful, and we thank you for the opportunity to work on your behalf. ---------------------------------------------------------------------------- More on the committee's final work and documents: Source: http://csrc.nist.gov/tacdfipsfkmi/ Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure The Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure was established by the Department of Commerce in July, 1996. The Committee, which was formally chartered on July 24, 1996, held its first meeting on December 5-6, 1996. The Committee's last meeting was held June 17-19, 1998. [Excerpts] Meeting Agendas 1998-05-21 June 17-19, 1998 Meeting agenda9806.txt Agenda [908 bytes] Materials from June 1998 Meeting June 19, 1998 Revised Cover Letter (6/19/98) revisedcover.txt June 19, Revised Assembled Document (6/19/98) 1998 (MS Word '97) revisedFIPS9806.doc June 1998 Discussion Draft Cover Letter cover.txt June 1998 Draft Assembled Document (MS Word FIPS698_Word97.doc '97) Original June 1998 Draft Assembled Document (MS Word 6 / FIPS698_Word95.doc '95) June 1998 Draft Assembled Document text format FIPS698.txt --- # distributed via nettime-l : no commercial use without permission # <nettime> is a closed moderated mailinglist for net criticism, # collaborative text filtering and cultural politics of the nets # more info: [email protected] and "info nettime-l" in the msg body # URL: http://www.desk.nl/~nettime/ contact: [email protected]