Re: Euro-move to key-escrow encryption


Sender: •••@••.••• (Jerome Thorel)

Andy said :
>I have to thank Jerome Thorel for this information, as well as for the
>following posting that fills in some details.  I realize that a lot is
>left unclear, such as who has authority to approve and actually put
>the Council of Europe's proposal into law.  More information would be

The Council of Europe, based in Strasbourg, has no official powers in each
members states. It's a kind of Organization for American States -- only a
council of proposition, of moderation, that's all. But their guidelines are
taken seriously by national governments.

People must avoir confusiuon with the European Union (15 members, the
former ECommunity), and the EU Commision, in Brussels, which is an
executive body of the EU, but with limited powers - the EU Commission has
much more power than the CoE. But in defense, state security -- and
encryption -- only national government have the power to change or adapt

SO these 2 decisions won't change the way European countries will manage
encryption, BUT it's a MOVE that will surely be followed in the following



Sender: "Craig A. Johnson" <•••@••.•••>

Henry Huang wrote, on 26 Sept:

> Frankly, I'm not sure why the Gov't would even want to bother
> banning non-escrowed encryption.  It's not like it's actually used
> much now. And their actions only serve to draw increasing suspicion
> to their motives (which, as revealed by EPIC, are *extremely*
> unsavory).

Henry, it is not true that non-escrowed encyrption is little used.
Triple DES, RSA, and even PGP are used quite liberally in the
corporate world.  Financial institutions, in particular rely on
triple DES and RSA, which are "public key" but are not "key escrow"
encryption, where a third party literally holds the keys, as you have
explained quite well.

Also, there are fascinating developments on the interactive
crypto-scape.  The excerpt below, taken from the September 25th issue
of Online Business Today represents stepped-up efforts by the
Internet community to develop strong encryption based on non key
escrow alternatives.  (Unfortunately for me, I am a Netscape user,
which has not moved to an "out-of-band" solution like that discussed

The zinger in the piece below is that the U.S. has approved this encryption for

There are also unsubstantiated (at least for me) rumors that the
Internet Architecture Board is going ahead with development of strong
encryption for Net use irrespective of whatever U.S. policy turns out
to be.


(Moderator's note: The following material is under copyright in the
U.S., and is posted to this newsgroup under "fair use" and "teachable
moment" doctrines.  Please do not post indiscriminately.)

(From Online Business Today, September 25, 1995)

V-ONE Corp. has announced that it will now license
its technology for open, secure electronic commerce
known as the CyberWallet(TM) to any qualified
software vendor for a nominal license fee. The
announcement was made in part in response to the
recently-publicized breaches of Netscape's SSL
security protocol. V-ONE's CyberWallet payment
process is intended to prevent merchant fraud and to
make totally open and secure electronic commerce on
the Internet by both consumers and businesses a
The CyberWallet payment process was licensed by
V-ONE to Checkfree(TM), Spyglass(TM), and
SecurePay(TM) in August of 1995 as a part of the
Electronic Business Co-op (EBC). Currently, a major
credit card company and several processors are testing
the CyberWallet process.
Unlike the Netscape SSL method, V-ONE uses its
patent-pending Secure Transaction Channel (STC)
technology in its CyberWallet process. STC is an "out
of band," end-to-end security method which utilizes
DES and RSA public key cryptography to conceal and
transmit financial data to credit card processors over
the Internet. STC's "out of band" characteristics enable
its secure use with any Internet browser, any Internet
server, and any transaction processor. The United
States Department of State and the Department of
Commerce have granted export approval.
STC's method differs from "in-band" security methods
such as Netscape's SSL, by operating on a separate
channel, parallel to any browser. This method is
analogous to a control channel operating with a data
channel in communication systems.
V-ONE, owner of the Internet firewall
SmartWall(TM), successfully demonstrated its version
of the CyberWallet - SmartWallet(TM) - September
19 at the Third Annual International Smart Card
Forum in Tysons Corner, VA. In the demonstration,
the SmartWallet process was used to purchase
merchandise with a credit card over the Internet. Next,
a smart card was used to authenticate a user over the
Internet to conduct secure personal banking with a
Citibank Home Banking account.

STC reduces the risk of merchant fraud by not
allowing the cybermerchant to see any financial data
contained in the encrypted envelope. The data is
decrypted at a decryption server used by the processing
bank or processor, who is a trusted party for credit card
STC is designed to eliminate the current need for a
certification infrastructure by using a unique public
key/private key relationship for encryption and
decryption. When the certification infrastructure is
finally in place, STC's application level architecture
allows for immediate migration to that process. In
addition, STC will comply with credit card transaction
standards as they are released.
"We use the strongest DES encryption to encrypt the
financial data and re-encrypt with RSA technology to
make it what we believe to be the strongest, most secure
Electronic Wallet in the world." said James Chen,

Craig A. Johnson

 Posted by --  Andrew Oram  --  •••@••.••• --  Cambridge, Mass., USA
                 Moderator:  CYBER-RIGHTS (CPSR)

    World Wide Web:

You are encouraged to forward and cross-post messages and online materials,
pursuant to any contained copyright & redistribution restrictions.