[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIST involvement in PKI



At 11:07 AM 8/7/96 -0700, Hal wrote:
>From: Carl Ellison <cme@cybercash.com>
>>         I need to check with folks down the road at NSA.  The last time I
>> talked with them, crypto for authentication (which is what SPKI is for) is
>> freely exportable and we don't even need to bring it to the attention of the
>> Commerce Dept, much less State Dept (= NSA).
>
>This is the first I have heard that SPKI is only for authentication.
>Surely the Simple Public Key Infrastructure it creates could be used for
>secrecy as well.  I had though that one purpose of SPKI was to allow
>people to have confidence that the keys they are selecting for encrypting
>messages are the right ones to use.

The SPKI certificate itself is not capable of encrypting data of any form.
It, itself, can not be used for confidentiality.  That's what I meant.  Code
which creates and checks SPKI certificates is not code which permits anyone
to achieve confidentiality -- and therefore is not code subject to ITAR.

Of course, one might use SPKI certificates to bind confidentiality keys to
names or authorities, for e-mail or secure connection purposes.  Then again,
one can use Microsoft Word to create documents which are encrypted.  One can
use Windows3.1 to run both Word and PGP.  Neither Windows nor Word achieves
confidentiality any more than SPKI Certificate generation and verification
code would.

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+