Arnold Rheinhold wrote:
>I'm afraid I don't find Mr. Fernandes' argument convincing. ...
>To me the mystery is why Microsoft is unwilling to fully explain its
>actions. Perhaps there are other details they do not wish to reveal.
>For example, since each CAPI module to be signed would require BXA
>approval beforehand, NSA may have wanted the tokens kept at a trusted
>third part, perhaps some law firm, giving BXA positive control over
>what gets signed. Whatever the reason, the _NSAKEY incident
>demonstrates that Microsoft has some secret relationship with NSA.
Note that the exchange with Duncan occurred while MS is butting
heads with DOJ. And the breakoff occurred in the possible
death struggle to keep MS a single company. Would MS squeal on
NSA during this crucial time? Not likely. Would it ask for help from
NSA in placating DOJ, say for two companies rather than three?
Possibly, if it could be kept quiet, especially from Judge Jackson.
Would MS set up a covert company for government work if it has
not already done so? Probably, if the pattern of other corporations
is followed. In that case, all records are excluded from FOIA.
The tone of MS's exchanges with Duncan certainly sounds like
those who are forbidden to go beyond a precise limit as to what
can be disclosed. Few say that the reason is an NDA for even
that cannot be revealed in most cases.
Another person at Microsoft, head of MS crypto in France,
commented (stonewalled) in response to a ZDNet (FR) article
(this too forwarded by Duncan though it was not written to him):
[Sent to ZDNet, No date]
Monsieur,
Je vous remercie pour l�article tr�s int�ressant publi� sur ZDNet
(http://www.zdnet.fr/actu/tech/a0014367.html).
Je souhaite cependant apporter quelques pr�cisions concernant
le r�le de la NSA, et sur le fait que les �diteurs soient dans l�obligation
de fournir le code source au NSA pour obtenir les autorisations
d�exportation.
La revue technique effectu�e par le BXA n�implique pas la fourniture
du code source, ni d�extrait de code source. La d�claration n�est
qu�une documentation d�crivant les capacit�s d�encryption et
sa force, ainsi que des justifications pour obtenir une licence export
sans restriction.
Le process est clairement document� par le site de la BXA
(Bureau des Exportations du D�partement du Commerce
am�ricain): http://www.bxa.doc.gov/Encryption/enc.htm.
Comme vous pouvez le constater, il n�est fait nulle part
mention de fourniture du code.
Dans un pass� assez lointain cependant pour exporter
des produits � 40-bit, il �tait offert comme possibilit� parmi
d�autres, la fourniture du code source. Comme vous vous
en doutez, les grands �diteurs ont toujours pr�f�r� les
autres m�thodes dont celle dite du "40-bit vector tests" qui
consistait par une s�rie d�exemple � prouver que le syst�me
fonctionnait bien avec un niveau de s�curit� � 40 bits.
Dans l�esprit tout au moins, cette m�thode ressemble �
celle demand�e aujourd�hui encore par le SCSSI pour les
autorisations et d�claration d�utilisation g�n�rale.
Cordialement,
Pierre-Henri Fr�vol
En charge des affaires Crypto
Microsoft France
