[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIST involvement in PKI

At 11:20 PM 8/6/96 -0400, Rich Salz wrote:
>>        I need to check with folks down the road at NSA.  The last time I
>>talked with them, crypto for authentication (which is what SPKI is for) is
>>freely exportable and we don't even need to bring it to the attention of the
>>Commerce Dept, much less State Dept (= NSA).
>No, you must apply for a CJR -- Commerce Jurisdiction Ruling -- from

I may try the CJ route, just out of general interest, but the folks I talked
to from the export office of NSA last year were quite adamant about my not
having even to mention the crypto (much less give them paperwork) if all I'm
doing is authentication.  They were even stronger about it -- saying that I
could use absolutely any crypto I wanted of arbitrary strength -- provided
it was authentication only.  (E.g.: One system mfgr I worked for a while
back used 32*DES to do password hashing (yes - not a typo for 3-DES).)

For that matter, I could do a sample SPKI implementation using DSA and
publish all the source, including the DSA, just as NIST did.  I wonder if
there's a prize from the gov't for users of DSA :).

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |