[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC WORKING GROUP LAST CALL

To: "'perry@piermont.com'" <perry@piermont.com>, "ipsec@tis.com" <ipsec@tis.com>
Subject: RE: IPSEC WORKING GROUP LAST CALL
From: Rob Adams <adams@cisco.com>
Date: Fri, 20 Feb 1998 13:28:24 -0800
Organization: Cisco Systems Global Alliances
Reply-To: "adams@cisco.com" <adams@cisco.com>
Sender: owner-ipsec@ex.tis.com

This is becoming fun.. %) 

Perry, I understand the way you feel and I'm not happy about the situation either. But it
is what we are stuck with and I can't do anything about it.  And it certainly will not be just
me. There will be many many people in this situation. 

So, I need this.  A bunch of us need this.   If you aren't comfortable agreeing to 
a standards document, then provide a number and a method for negotiating down 
to stupid. I think that is reasonable.  That gives you a way to say you don't endorse
it and allows those of us that do have to depend on exporting products to stay in
business or out of jail..    

Righteous indignation aside, this really is critical for some of us. 

-Rob


On Friday, February 20, 1998 12:27 PM, Perry E. Metzger [SMTP:perry@piermont.com] wrote:
> 
> Someone writes:
> > As Bob said, how to weaken the key is well known but I figured a CBC-MAC
> > was well known and that apparently is not the case. We need documents
> > describing things and there is no document describing "40 bit DES"
> 
> I removed "someone"'s name because I don't want them to think the
> following targets them specifically. It is directed not at particular
> people but at the notion of ciphers with inadequate key lengths being
> standardized, even in the "sheep's clothing" of variable length
> ciphers that permit inadequate lengths.
> 
> <flame height="empire state building" heat="5000 degrees k">
> 
> I don't understand why we wish to specify this at all. Even single DES
> isn't secure any more. IBM, to their credit, doesn't call their 40 bit
> DES based algorithm encryption -- they call it "commercial data
> masking".
> 
> You argue "hey, some of us have to make a living". Well, do it in a
> less damaging way -- sell CD-ROM encyclopedias door to door or
> something.  If you insist on selling your customers junk -- and 40 bit
> encryption is *junk* -- please do not ask the rest of us to endorse
> your mechanism with the imprimateur of the IETF. The last thing I want
> on earth is to see such a box sold with a brochure advertising its
> compliance with RFC YYYY. Find a better way of marketing the
> antifreeze you propose selling as booze to the third world
> natives. You don't need an RFC number to do that.
> 
> Oh, and if any vendor does go through the exercise of selling such a
> thing, I suspect that software will be widely distributed on the net
> to help even unskilled teenage crackers break the "encryption"[sic]
> without having to know what they are doing. I suspect that because if
> no one else does I'll write it and distribute it myself. A false sense
> of security is worse than no security.
> 
> The 40 bit "encryption" fraud must end.
> 
> I've flamed on enough here already, and won't go any further with it
> right now. I believe people can tell how strongly I feel about this.
> 
> </flame>
> 
> 
> Perry
>

Follow-Ups:

Re: IPSEC WORKING GROUP LAST CALL

From: "Perry E. Metzger" <perry@piermont.com>

RE: IPSEC WORKING GROUP LAST CALL

From: "Steve Goldhaber" <goldy@compatible.com>

Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
Next by Date: Certificate Requesting
Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
Next by thread: Re: IPSEC WORKING GROUP LAST CALL
Index(es):
- Main
- Thread