From: abostick@netcom.com (Alan Bostick)
Date: Thu, 18 Jan 1996 08:08:00 +0800
To: mab@research.att.com
Subject: Re: Microsoft's CAPI
In-Reply-To: <199601171502.KAA16060@nsa.tempo.att.com>
Message-ID: <pxT/w8m9LAcF085yn@netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <199601171502.KAA16060@nsa.tempo.att.com>,
Matt Blaze <mab@research.att.com> wrote:

> The OS will not load just any old CSP.  CSPs have to be signed by
> Microsoft.  The kernel contains a (hardcoded?) 1024 RSA public key
> that it uses to check the signature when the user tries to load a CSP.
> If the signature check fails, the CSP won't load.  Microsoft says it
> will sign any CSP from anyone AS LONG AS THEY CERTIFY THAT THEY WILL
> FOLLOW THE EXPORT RULES.  So you can get your CSP signed if you use
> exportable cryptography or if you agree not to send it outside the US
> and Canada, etc.  But an end user can't just compile crypto code and
> use it as a CSP, even for his or her own use, without getting it
> signed by Microsoft first (actually, the CSP development kit does
> allow this, but it uses a special version of the OS).

The next obvious question is:  Will Microsoft sign strong-crypto CSPs
developed by foreign developers for out-of-USA use?



- -- 
   Alan Bostick             | He played the king as if afraid someone else 
Seeking opportunity to      | would play the ace.
develop multimedia content. |      John Mason Brown, drama critic
Finger abostick@netcom.com for more info and PGP public key

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBMP09JuVevBgtmhnpAQHbyQMAw3yh1qhIrBD0RF2ppiiiJnwJkF45qMKm
vsjXXZY92dJPbdLcOebxBRPCBxpyRSVqVKsy6QPA0KsYdLIgFt+ziFYWRrv3PFjz
f3Jf2dg+rhJ6G4dhDhTqp4/pdUT0huzy
=78Il
-----END PGP SIGNATURE-----