IAB and IESG Statement on Cryptographic Technology and the Internet
RFC 1984

Document Type RFC - Best Current Practice (August 1996; No errata)
Also known as BCP 200
Last updated 2015-09-25
Stream Legacy
Formats plain text pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1984 (Best Current Practice)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                                IAB
Request for Comments: 1984                                          IESG
Category: Informational                                      August 1996

  IAB and IESG Statement on Cryptographic Technology and the Internet

Status of This Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Copyright

   (C) Internet Society 1996.  Reproduction or translation of the
   complete document, but not of extracts, including this notice, is
   freely permitted.

July 24, 1996

   The Internet Architecture Board (IAB) and the Internet Engineering
   Steering Group (IESG), the bodies which oversee architecture and
   standards for the Internet, are concerned by the need for increased
   protection of international commercial transactions on the Internet,
   and by the need to offer all Internet users an adequate degree of
   privacy.

   Security mechanisms being developed in the Internet Engineering Task
   Force to meet these needs require and depend on the international use
   of adequate cryptographic technology.  Ready access to such
   technology is therefore a key factor in the future growth of the
   Internet as a motor for international commerce and communication.

   The IAB and IESG are therefore disturbed to note that various
   governments have actual or proposed policies on access to
   cryptographic technology that either:

   (a) impose restrictions by implementing export controls; and/or

   (b) restrict commercial and private users to weak and inadequate
       mechanisms such as short cryptographic keys; and/or

   (c) mandate that private decryption keys should be in the hands of
       the government or of some other third party; and/or

   (d) prohibit the use of cryptology entirely, or permit it only to
       specially authorized organizations.

IAB & IESG                   Informational                      [Page 1]
RFC 1984                Cryptographic Technology             August 1996

   We believe that such policies are against the interests of consumers
   and the business community, are largely irrelevant to issues of
   military security, and provide only a marginal or illusory benefit to
   law enforcement agencies, as discussed below.

   The IAB and IESG would like to encourage policies that allow ready
   access to uniform strong cryptographic technology for all Internet
   users in all countries.

The IAB and IESG claim:

   The Internet is becoming the predominant vehicle for electronic
   commerce and information exchange. It is essential that the support
   structure for these activities can be trusted.

   Encryption is not a secret technology monopolized by any one country,
   such that export controls can hope to contain its deployment. Any
   hobbyist can program a PC to do powerful encryption. Many algorithms
   are well documented, some with source code available in textbooks.

   Export controls on encryption place companies in that country at a
   competitive disadvantage. Their competitors from countries without
   export restrictions can sell systems whose only design constraint is
   being secure, and easy to use.

   Usage controls on encryption will also place companies in that
   country at a competitive disadvantage because these companies cannot
   securely and easily engage in electronic commerce.

   Escrow mechanisms inevitably weaken the security of the overall
   cryptographic system, by creating new points of vulnerability that
   can and will be attacked.

   Export controls and usage controls are slowing the deployment of
   security at the same time as the Internet is exponentially increasing
   in size and attackers are increasing in sophistication. This puts
   users in a dangerous position as they are forced to rely on insecure
   electronic communication.

TECHNICAL ANALYSIS

KEY SIZE

   It is not acceptable to restrict the use or export of cryptosystems
   based on their key size.  Systems that are breakable by one country
   will be breakable by others, possibly unfriendly ones.  Large
   corporations and even criminal enterprises have the resources to
   break many cryptosystems.  Furthermore, conversations often need to

IAB & IESG                   Informational                      [Page 2]
RFC 1984                Cryptographic Technology             August 1996

   be protected for years to come; as computers increase in speed, key
   sizes that were once out of reach of cryptanalysis will become
   insecure.

PUBLIC KEY INFRASTRUCTURE

   Use of public key cryptography often requires the existence of a
   "certification authority".  That is, some third party must sign a
   string containing the user's identity and public key.  In turn, the
   third party's key is often signed by a higher-level certification
   authority.

   Such a structure is legitimate and necessary.  Indeed, many
Show full document text