[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 40bit DES?

To: perry@piermont.com, jim@mentat.com
Subject: RE: 40bit DES?
From: Roy Pereira <rpereira@TimeStep.com>
Date: Tue, 12 May 1998 16:56:14 -0400
Cc: chk@utcc.utoronto.ca, rgm-sec@htt-consult.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

blah, blah, blah..... Regardless of what your opinion is, in the real
world we are forced with export issues.  Sure 40-bit DES isn't secure,
but it sure is a lot better than no encryption or not having any sales?
Its time to move from the theoretical to the practical.  I can dream of
a day when we all live together in harmony with world peace, but reality
dictates something else, doesn't it?

> -----Original Message-----
> From: Perry E. Metzger [mailto:perry@piermont.com]
> Sent: Tuesday, May 12, 1998 4:09 PM
> To: jim@mentat.com
> Cc: chk@utcc.utoronto.ca; rgm-sec@htt-consult.com; ipsec@tis.com
> Subject: Re: 40bit DES? 
> 
> 
> 
> Jim Gillogly writes:
> > > >> there seems to be 3 things needed for 'US exportable' IPsec:
> > > >> 
> > > >> A 40bit DES ESP algorithm
> 
> > Tell me again why we want it?  We already have the NULL ESP 
> algorithm,
> > which provides a proof of concept of the framework without providing
> > security.  Another such algorithm would seem to be overkill.
> > 
> > Again -- our job is to provide a technical spec to allow people to
> > communicate securely.  If we compromise it so that the lowest common
> > denominator is insecure, we're wasting our time.
> 
> Indeed, DES with 56 bits isn't secure. With 40 bits, you are wasting
> the time of your customers. I've said it before and I'll say it again
> -- selling 40 bit cryptography to your customers, even if 
> they ask it, 
> is like selling patent medicine to a cancer patient -- its more or
> less fraud. Even IBM doesn't pretend CDMF provides any security at
> all -- thus the name.
> 
> If the U.S. congress wants to hand your customers over to SSH and
> other overseas companies selling crypto software, complain to
> Congress, not the IETF. Anyone who wants to can buy compliant code,
> and if they can't buy it from you because you are "locationally
> challenged", that's between you and your congressman, and frankly,
> most of the companies complaining have more than enough money to go
> out and lobby.
> 
> Perry
>

Follow-Ups:

Re: 40bit DES?

From: "Perry E. Metzger" <perry@piermont.com>

Re: 40bit DES?

From: Jim Thompson <jim@smallworks.com>

RE: 40bit DES?

From: "Steve Goldhaber" <goldy@compatible.com>

Prev by Date: New key-recovery mailing list
Next by Date: Re: 40bit DES?
Prev by thread: Re: 40bit DES?
Next by thread: Re: 40bit DES?
Index(es):
- Main
- Thread