[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 40bit DES?
I'm an European guy working for an American company :-)
and I have talked with dozens of organizations on this topic.
May I just add my few 0.01 EUR to the discussion ?
1) There *are* countries which forbid to use of 40+ encryption
(France is the most known!). This is a local issue only and
has nothing to do with US.
2) There *are* applications which are secured enough with a
40-bit encryption (think about grammar school, small/medium
business with nearly no industrial secret, ...).
1) + 2) makes the standardization of 40-bit ESP mandatory. period.
AFAIK (but it is not my domain) string D-H groups and long
RSA/DSS keys for signatures are usually not restricted.
The rest is just bla-bla...
And this bla-bla is probably good news, if the list members have
time to spent on this thread, this means that the standards, products, ...
are mostly available ;-)
Just my 0.01 EUR
-eric
PS: do not take my e-mail message as it is not. If someone
ever presented 40-bit encryption as secure enough for *any*
application, I would call his/her statement like a lie...
At 16:08 12/05/98 -0400, Perry E. Metzger wrote:
>
>Jim Gillogly writes:
>> > >> there seems to be 3 things needed for 'US exportable' IPsec:
>> > >>
>> > >> A 40bit DES ESP algorithm
>
>> Tell me again why we want it? We already have the NULL ESP algorithm,
>> which provides a proof of concept of the framework without providing
>> security. Another such algorithm would seem to be overkill.
>>
>> Again -- our job is to provide a technical spec to allow people to
>> communicate securely. If we compromise it so that the lowest common
>> denominator is insecure, we're wasting our time.
>
>Indeed, DES with 56 bits isn't secure. With 40 bits, you are wasting
>the time of your customers. I've said it before and I'll say it again
>-- selling 40 bit cryptography to your customers, even if they ask it,
>is like selling patent medicine to a cancer patient -- its more or
>less fraud. Even IBM doesn't pretend CDMF provides any security at
>all -- thus the name.
>
>If the U.S. congress wants to hand your customers over to SSH and
>other overseas companies selling crypto software, complain to
>Congress, not the IETF. Anyone who wants to can buy compliant code,
>and if they can't buy it from you because you are "locationally
>challenged", that's between you and your congressman, and frankly,
>most of the companies complaining have more than enough money to go
>out and lobby.
>
>Perry
>
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke@cisco.com Mobile: +32-75-312.458
Follow-Ups:
References: