From: jim bell <jimbell@pacifier.com>
Date: Fri, 19 Jan 1996 11:58:33 +0800
To: mab@research.att.com
Subject: Re: Microsoft's CAPI
Message-ID: <m0td2IK-0008xrC@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 10:14 AM 1/17/96 -0800, Alan Bostick wrote:

>> The OS will not load just any old CSP.  CSPs have to be signed by
>> Microsoft.  The kernel contains a (hardcoded?) 1024 RSA public key
>> that it uses to check the signature when the user tries to load a CSP.
>> If the signature check fails, the CSP won't load.  Microsoft says it
>> will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL
>> FOLLOW THE EXPORT RULES.  So you can get your CSP signed if you use
>> exportable cryptography or if you agree not to send it outside the US
>> and Canada, etc.  But an end user can't just compile crypto code and
>> use it as a CSP, even for his or her own use, without getting it
>> signed by Microsoft first (actually, the CSP development kit does
>> allow this, but it uses a special version of the OS).
>
>The next obvious question is:  Will Microsoft sign strong-crypto CSPs
>developed by foreign developers for out-of-USA use?

And, as well, for in-USA-use.  Currently, it is only the export of
cryptographic devices and programs which is restricted.  Are they going to
prohibit the export of digital signatures which enable the use of
foreign-developed software?!?