HP proposal available

HP has put up info on its crypto proposal at http://www.hp.com/go/icf. You can also try http://www.dmo.hp.com/gsy/security/icf/main.html if that URL is slow. [Or, if those are too slow, see http://jya.com/hpicf.htm.]

The basic idea is what we had been speculating, their old "International Cryptography Framework" based on hardware crypto cards. It has now been given government approval, which is no big surprise since the system looks like it's been designed by fed bootlickers.

The claim of other companies signing on is less impressive than it sounds. They're using Microsoft's Crypto API, and of course Microsoft would like plenty of companies to use it. Intel offers to build some hardware, which is more business for them. "Netscape and VeriFone are exploring a wide range of uses for ICF technology." That's all they say about those companies. This is hardly a commitment; Netscape and other companies generally keep abreast of everything happening in the field to keep their options open. So this is not a resounding endorsement.

The one good thing about the plan is that since it is very complicated and requires specialized hardware, we probably won't see any impact from it for years. Hopefully it will be obsolete before it can be deployed.

The plan itself is an NSA wet dream. Not only do you need a token from Big Brother to activate the crypto in your computer (the token can be hardware or software, but the crypto card itself apparently must be hardware), it's also necessary for any application which wants to use crypto to supply an application specific certificate to the card.

This lets the law enforcement bureaucrats not only determine who gets to use crypto, but which applications get access to it. If you want to build an app which will use crypto you'll have to get permission from the authorities in order for them to give you a certificate which you can compile in to let your app run.

The one thing which was not clear was how much of these rules would apply within the U.S. In fact notably missing from the press release, white paper, overviews, slides, etc. on the web site was any discussion of civil liberties impact. It certainly was not listed as one of the considerations in the design of the system.

Overall, I'd say this is just HP trumpeting the unsurprising government approval of their ICF system and turning it into a press event by providing some lukewarm "endorsements" from well known companies. This system looks to me like it's got a long way to go before it becomes a widely used standard.

Hal

See November 18 reports of HP press conference.