Förderverein Informationstechnik und Gesellschaft

PECSENC denkt ueber Beschraenkungen bei SmartCards nach

[Das President's Export Council Subcommittee on Encryption (PECSENC) des U.S.-Praesidenten hat gestern, am 14. Mai 199 in oeffentlicher Sitzung getagt. Einige Papiere dazu sind jetzt auch on-line verfuegbar. Einer der interessanten Aspekte scheint offenbar auch zu sein, dass man in den USA ueber regulatorische Zugriffe auf die SmartCard-Industrie nachdenkt, da die Crypto-Faehigkeiten auf Chipkarten einigen leuten unheimlich werden. -AHH]


[Attachment 3]



The nature of computing changes day by day. one of the more obvious changes has come in the size of what can be called a computer. No where is this more evident than in the smart card technologies.


In this environment the issues include:

1. What would cause the DOC/BXA to want to regulate smart cards?

2. What would be the objectives of such regulation?

3. What would be the market impacts of those objectives?

4. What would be the risks to current encryption export policies of not regulating smart cards?

5. What would be the risks to current encryption export policies of regulating smart cards?

6. Would export controls be imposed based on the architecture of the IC; i.e., cryptographic co-processor?

7. Are smart cards covered by the personal use exceptions?

8. Would smart cards used to transport encryption keys be exempted?

9. Is it necessary to regulate smart cards, because the cryptographic keys are likely recoverable using timing attacks, differential power analysis, static power analysis, or other physical attacks?

10. Would the IC or the software on the card to be regulated? Both?

11. If smart cards are to be controlled are current policies sufficient to regulate smart cards?

12. How would such regulations be implemented?

13. Most smart card applications use cryptography for authentication. What would be required to document that those applications could not be converted to alternative use applications such as confidentiality?

14. Who would be responsible for compliance, the application owner or the cardholder?