Shades of the plaintext-embedded-in-the-executable Netscape "policy page"?
Or is it just more stupid Microsoft crypto programming?
Father Occam prefers the latter, but you never know...
Cheers,
RAH
--- begin forwarded text
Date: Fri, 3 Sep 1999 15:34:04 -0300
Reply-To: Law & Policy of Computer Communications
<[EMAIL PROTECTED]>
Sender: Law & Policy of Computer Communications
<[EMAIL PROTECTED]>
From: "Peter D. Junger" <[EMAIL PROTECTED]>
Subject: Re: FW: Warning about Installation of Software -- Don't be fooled
by NSA Rumors
To: [EMAIL PROTECTED]
Status: U
Mark Shea writes:
: There is a discussion of this issue at
: http://www.slashdot.org/articles/99/09/03/0940241.shtml
: <http://www.slashdot.org/articles/99/09/03/0940241.shtml> today. One of the
: more informed and thoughtful posts (IMHO) was from a Windows coder who has
: been working with this API for over a year. His/her comments can be seen at
: http://www.slashdot.org/comments.pl?sid=99/09/03/0940241
: <http://www.slashdot.org/comments.pl?sid=99/09/03/0940241&cid=56> &cid=56 .
: I recommend, however, you take a look at the whole discussion. It is fairly
: lively.
I always get lost on /. but I was able to read some of the messages and
some of the original material posted on the Internet.
Apparently this bit of stupidity is more of an opportunity than a threat.
As I understand it, the various versions of MSWindows include a Crypto
Applications Program Interface---I don't really know about this, being
much to snobbish to use Microsoft products---where one can plug in
encryption modules. But the government would not let Microsoft export
its Windows systems with this API unless it was crippled so that one
could not plug in strong crypto. So the solution was to require that
any crypto software installed on a MSWindows machine had to be signed by
Microsoft using a public key. (I'm not quite sure of the type of key that
was used.) So this crypto API contains a key that can be used to make
sure that Microsoft has signed an appplication, and if an application
is strong crypto it won't be signed by Microsoft and thus will not run
under MSWindows.
If you remove this Microsoft key from your Windows box, then you can't
run any crypto applications (that use the crypto API).
But now it turns out that some genius added a second key, called
apparently the NSAKEY, to the API and that a crypto apllication will
run if it is signed by either of the keys. You can remove the NSAKEY
and anything signed by Microsoft will still run, but programs signed by
NSA won't run (unless, I guess, they are also signed by Microsoft).
And---and this is the good part---you can not only remove the NSAKEY,
you can replace it with your own key, and then run any crypto applications
programs that you want, no matter how strong!
This effectively allows one to ignore the export controls on crypto
applications that run on MSWindows.
At least that is my understanding.
If I am right, the question becomes whether the replacable second key
is the result of stupidity---or of sabotage.
--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
EMAIL: [EMAIL PROTECTED] URL: http://samsara.law.cwru.edu
NOTE: [EMAIL PROTECTED] no longer exists
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
