Is DSS dead?

It didn't take long for somebody to exit the back door of the Digital Signature
Standard.


This standard has been around for nearly three years, yet almost no government agencies
use it. Last year, the Commerce Department, in a concession to market realities, said
agencies could get waivers from using DSS as long as they notified Commerce, congressional
overseers and the public via the Federal Register.


Well, the Animal and Plant Health Inspection Service has done just that, as we reported
May 13. APHIS, like many other agencies, has work to do. It can't justify the time and
expense of developing, in this case, custom on-line forms applications incorporating DSS
when commercial encryption capabilities already are built into its forms software.


More agencies are sure to follow.


Some have blamed the failure of DSS on the National Institute of Standards and
Technology. In a sense, that's true. But at the same time, it's an unfair assertion. NIST
was directed to create a government-specific encryption scheme. It did what it was
supposed to do in spite of downsizing, budget cuts and legal challenges from private
encryption vendors.


The real fault lay in the notion--promulgated by the White House--that the government
could simply declare a standard and expect the world to follow it. In effect, the train
had left the station and the feds were powerless to change its course.


Besides trying to establish a new standard, DSS had the problem of being, well, from
the government. Recall the brouhaha over the feds holding the encryption keys so law
enforcement agencies could eavesdrop on communications related to illegalities. Too many
businesses and individuals balked, loudly asserting that private communications should
remain private.


Although there are legitimate arguments on both sides, the debate itself didn't help
DSS.


It's still too soon to pronounce DSS dead. A few agencies, notably IRS, are using it,
trying to integrate it with commercial products and services. Moreover, some vendors have
announced support for DSS in new releases of products. The largest supplier of forms to
DOD, Symantec Corp.'s Delrina Group, said a forthcoming upgrade will have DSS support from
a third party.


Dead or not, it's wise to be flexible about security techniques. The goal should be
secure transactions, not adoption of any particular set of products.



inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above