Electronic Privacy Information Center - http://www.epic.org _________________________________________________________________ EPIC ANALYSIS OF ADMINISTRATION CRYPTO POLICY PAPER _________________________________________________________________ A new report from an administration working group calls for the establishment of an international infrastructure for key escrow encryption, called "KMI" or Key Management Infrastructure. The goal of KMI is similar to the original Clipper plan, but is more far-reaching and potentially more damaging to privacy and security on the Internet. The report contends (as did earlier proposals for other products in the Clipper family) that KMI is necessary to protect public safety and national security. The report also argues for an international key-sharing plan. The government offers the gradual relaxation of export controls in exchange for a commitment from industry to build in key escrow capability. The proposal suggests that: -- Export controls will be relaxed where the keys are escrowed in the United States or the U.S. has a government-to-government key escrow agreement with the country of destination. -- Self-escrow will be an "acceptable" option for large corporations, but independent, government-certified escrow authorities may still be necessary for other organizations. The proposal clearly requires regulation of encrypted communications. According to the report, a strong key management infrastructure "can be based on a voluntary system of commercial Certificate Authorities (CAs) *operating within prescribed policy and performance guidelines.*" (Emphasis added) The CA's will be certified by a Policy Approving Authority (PAA) -- presumably the government -- which "sets rules and responsibilities for ensuring the integrity of the CAs" and "is also responsible for setting CA performance criteria to meet law enforcement needs." The proposal concludes with a six-part action plan: 1. Collaborate with industry and standards groups to develop a Key Management Infrastructure 2. Develop a FIPS (Federal Information Processing Standard) for encryption protocol, key exchange and digital signature that would be "mandatory for government use" 3. Develop a Security Management Infrastructure for government use to develop a market for products that support the new FIPS 4. Select a government agency to work with industry to develop security requirements for network security and protecting highly sensitive information 5. Develop legislation for a key management infrastructure that would set polices for escrowed keys, certificate authorities, and address civil liability 6. Develop arrangements with other countries for key sharing The proposal has been dubbed "Clipper III," a reference to earlier attempts by the Administration to promote key escrow encryption. In the first iteration, the government would have held the keys for all encoded communications. In the current version, the government establishes and certifies key escrow procedures. In several respects the proposal is also broader than the original Clipper plan. KMI, as conceived by the government, will be a worldwide standard for network communication. The report is also noteworthy for the issues it does not address. Nothing is said about the reported problems and cost overruns with the government current key escrow program, the Defense Message System. No attention is given increased vulnerability of network communication that will result from KMI or the threat to privacy and security. No mention is made of the relatively ease with which determined attackers will defeat the plan. EPIC urges members of the net community to contact: Interagency Working Group on Cryptography Policy Room 10236 New Executive Office Building Washington, D.C. 20503 Urge the Working Group to drop the key-escrow proposal. Clipper and key-escrow just look worse as time passes.