Ran Atkinson <rja@bodhi.cs.nrl.navy.mil> Thu, 06 April 1995 10:51 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01158; 6 Apr 95 6:51 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa01154; 6 Apr 95 6:51 EDT
Received: from ietf.cnri.reston.va.us by CNRI.Reston.VA.US id aa02939; 6 Apr 95 6:51 EDT
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01145; 6 Apr 95 6:51 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa01141; 6 Apr 95 6:51 EDT
Received: from bodhi.nrl.navy.mil by CNRI.Reston.VA.US id aa02934; 6 Apr 95 6:51 EDT
To: iesg@CNRI.Reston.VA.US
Subject: encryption
Content-Length: 3152
Date: Thu, 6 Apr 95 6:51:44 EDT
X-Orig-Sender: iesg-request@IETF.CNRI.Reston.VA.US
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>
X-Orig-Sender: rja@bodhi.cs.nrl.navy.mil
Message-ID: <9504060651.aa17603@bodhi.nrl.navy.mil>


I'm leaving early and hence will miss the fireworks this evening
regarding mandating encryption.  It is my belief that if the IESG does
not stand behind its existing Proposed Standard mandating encryption
for IPv6, then it must give up all claims to be an international
organisation.  After all, France prohibits encryption entirely, not
just export.  And Switzerland is the home of Crypto AG, a large
commercial cryptography firm, and regularly exports crypto to many
customers (not just Banks).  Why let US law drive things instead of
some other country's law ?

Further, I believe that if some kind of encryption is not mandated,
that the Internet will suffer in the future.  Many of the issues
arising from Secure HTTP/Secure Sockets Layer/etc would not be here
today if the Internet had mandated encryption 2-3 years ago.  Those
issues are significantly impairing interoperability and should be
issues that we address.

Although I have reason to believe that most major vendors will
implement encryption even though it is not exportable, export controls
should not be the issue.  A legitimate issue is whether there is a
"level playing field".  I believe that mandating encryption does not
remove the "level playing field" for firms desiring to be in the
TCP/IP market.  The laws of the various countries apply to all firms
operating in the respective countries, not just to some firms.  This
is fair.  I'm quite sure that when firms wish to sell their TCP/IP
products in France that their marketing folks can devise suitable
weasel words (e.g. "Fully complies with IPv6 except for encryption")
or in many cases they will just lie (possibly saying "Implements
IPv6").  Most firms already have multiple kernels and so adding one
more compile-time option is just not a big deal.

I have strong reason to believe that the US Government will require
that IPv6 encryption be implemented as a "must have in order to bid"
item for at least one large (over $1 billion) workstation contract
when that contract comes up for renewal.  The last time that contract
was issued, the Government mandated full SNMPv2 including DES and all
bidders implemented that and offered it.  It also mandated IP
multicast, which is one reason that HP and IBM have finally
implemented IP multicast.  HP ultimately won that contract.  If
FEDERAL COMPUTER WEEK is accurate, DEC and IBM also bid on that
particular contract.  This is not an official statement of the US
Government, however, as I'm not an official spokesperson.

In the final analysis, this weeks fireworks against encryption are an
emotional attempt to overturn an IPng process that the community
agreed to, that was adhered to, and that resulted in community
consensus that we need encryption in the Internet.  There was a Last
Call on the IPng Recommendation.  People who objected to mandating
encryption had ample opportunity to do so at that time.  An objection
this late in the day is out of order -- as there is no process
violation and there is, I believe, community consensus (rough but not
smooth) that encryption should be mandated.

Yours for a better Internet,