[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: 40bit DES?



Forgive me, I don't mean to disagree with anything Perry is saying, but is
that
a "don't put it in the draft" or a "don't admit you've seen an informational
RFC" or a "mandate we refuse to think about it" or what?

[actually, I think that Perry's statement hangs together quite well.]

>To: jim@mentat.com (Jim Gillogly)
>cc: chk@utcc.utoronto.ca, rgm-sec@htt-consult.com, ipsec@tis.com
>Subject: Re: 40bit DES? 
>Reply-To: perry@piermont.com
>X-Reposting-Policy: redistribute only with permission
>Date: Tue, 12 May 1998 16:08:30 -0400
>From: "Perry E. Metzger" <perry@piermont.com>
>Sender: owner-ipsec@ex.tis.com
>
>
>Jim Gillogly writes:
>> > >> there seems to be 3 things needed for 'US exportable' IPsec:
>> > >> 
>> > >> A 40bit DES ESP algorithm
>
>> Tell me again why we want it?  We already have the NULL ESP algorithm,
>> which provides a proof of concept of the framework without providing
>> security.  Another such algorithm would seem to be overkill.
>> 
>> Again -- our job is to provide a technical spec to allow people to
>> communicate securely.  If we compromise it so that the lowest common
>> denominator is insecure, we're wasting our time.
>
>Indeed, DES with 56 bits isn't secure. With 40 bits, you are wasting
>the time of your customers. I've said it before and I'll say it again
>-- selling 40 bit cryptography to your customers, even if they ask it, 
>is like selling patent medicine to a cancer patient -- its more or
>less fraud. Even IBM doesn't pretend CDMF provides any security at
>all -- thus the name.
>
>If the U.S. congress wants to hand your customers over to SSH and
>other overseas companies selling crypto software, complain to
>Congress, not the IETF. Anyone who wants to can buy compliant code,
>and if they can't buy it from you because you are "locationally
>challenged", that's between you and your congressman, and frankly,
>most of the companies complaining have more than enough money to go
>out and lobby.
>
>Perry
>