[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIST involvement in PKI

From: Carl Ellison <cme@cybercash.com>
>         I need to check with folks down the road at NSA.  The last time I
> talked with them, crypto for authentication (which is what SPKI is for) is
> freely exportable and we don't even need to bring it to the attention of the
> Commerce Dept, much less State Dept (= NSA).

This is the first I have heard that SPKI is only for authentication.
Surely the Simple Public Key Infrastructure it creates could be used for
secrecy as well.  I had though that one purpose of SPKI was to allow
people to have confidence that the keys they are selecting for encrypting
messages are the right ones to use.

Or do you mean that SPKI really only describes the formats of the
certificates that are used to authenticate keys in different ways, and
what the users then do with these authenticated keys is outside the scope
of the spec?

>         What I need to find out is whether NSA would applaud the export of
> source code for authentication-only applications without the crypto
> routines.  I believe they would, but I don't know what kind of approval
> process there is.

Unless I am mistaken and there is something about SPKI which makes it
impossible to use the keys it authenticates for encryption, I doubt that
the NSA would like to see anything spread which could facilitate the safe
and easy use of encryption.

Hal Finney