Background:
MS Win has a crypto interface called CAPI (Crypto API).
It's purpose is to have a handfull of exchangable
*crypto service providers* that supply applications with
crypto services.
This meachnism is used to enforce the export control
restrictions. Every service porovider must be signed
by a built in key owned by Microsoft. YOu'll get this
signature only if you assure to comply with export
restrictions.
During the last days a second key called "NSAKEY" was
discovered. That key is bad protected and can easily
modified. Thus everybody can sign the own crypto provider
and place the public signing key instead of the original
NSAKEY.
This would allow to circumvent almost all 40/512 Bit restrictions
and allow for fortifying MSIE. It might not help for strong
SSL, since at least once SSL was implemented w/o CAPI but
inside schannel.dll.
So my questions are:
1.) Is it worth implementing a crypto provider based on
OpenSSL and ship it with a key replacement during install?
2.) Who would volonteer it?
Please restrict your answers to the topic. Especially
do not consider rambling about MS, NSA, crypto restrictions
and the like! Thanks.
--
Holger Reif Tel.: +49 361 74707-0
SmartRing GmbH Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 Erfurt WWW.SmartRing.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
