[2241] in cryptography@c2.net mail archive
HP ICF/VerSecure - reactions?
daemon@ATHENA.MIT.EDU (Stefek Zaba)
Mon Mar 2 20:13:38 1998
Date: Mon, 2 Mar 1998 22:33:40 GMT
From: Stefek Zaba <sjmz@szaba.hpl.hp.com>
To: cryptography@c2.net
[HP's various GAK and export friendly moves have been a thorn in many
a side. If people can get well reasoned responses to Stefek it would
be greatly appreciated. --pm]
Hi list-members,
apologies for delurking after an indecently short interval (hours only) on
this list. My dear employer, HP, announced on fri27mar98 that export
approval has been granted for the policy-token-issuing component of what
was known in the past as HP's "International Cryptography Framework", was
believed to be morbid if not dead, but is now back as VerSecure (
http://co.hp.com/versecure/verse.htm ). Having argued strongly on HP's
behalf in the UK against "Trusted Third Party" proposals (see
http://www-uk.hpl.hp.com/people/sjmz/dtiprop/overview.htm ), I've picked
up the task of gatherting for HP's senior management the reaction of the
crypto community and potential customers to this announcement, and I have
a window for presenting such reaction with all the calm suited suavity
those few of you who know me personally would expect in the second half of
this week. Thus-and-therefore, initial reactions to same - whether to the
list or by email to me at stefek_zaba@hp.com, PGP-encrypted mail welcome -
are hereby welcomed; calm, reasoned technical- and business-focussed
assessments will be valued, mouth-frothing will be merely tallied. I'll do
a general summary to the list of anything received by email alone; your
comments won't be attributed individually either in such a summary or to
other people in HP internally unless you tell me it's OK to do so. Within
the bounds of my obligations as an HP employee (i.e. shorn of all
colourful detail and useful decisions, probably :-() I'll feed back to the
list some sort of reaction-to-the-reaction.
I don't have much more detail to share about the technology than is shown
on the Web pages - as far as I can work out the export clearance is at the
"commodity" level for the individual crippled-crypto commodity items
(which again as far as the Web pages reveal don't actually *exist* as
things you can kick, or subject to physical attack, yet - rather as a
concept you can license); but the policy-token-issuing things ("SDA
servers", where SDA = Security Domain Authority) will be under
case-by-case export control. It's ambiguous, in my reading of the FAQ,
whether the sentence "SDAs agree to make key recovery available as an
option." is illustrative or normative - i.e. a plausible reading is that
export for SDAs (which are needed to enable the "dormant" crypto) will be
granted only to organisations which offer to issue key-recovery-compliant
policy tokens as well as non-KR tokens.
Thanks for your reactions, and again apologies for leaping in with both
feet first...
Stefek
