From: David Honig <honig@otc.net>
Date: Fri, 9 Jan 1998 02:25:19 +0800
To: cypherpunks@toad.com
Subject: MS Server Gated Crypto: strong encryption w/ exportable browsers if the server is US-OK
Message-ID: <3.0.5.32.19980108090210.007a6820@206.40.207.40>
MIME-Version: 1.0
Content-Type: text/plain



	
The jist of http://eu.microsoft.com/industry/finserv/m_finserv/m_fordev_g.htm
is, MS has US permission to export a DLL containing 128-bit SSL *worldwide*
since
the encryption is enabled IFF there's a Verisign "SGC certificate" on the
*server*.
This apparently will work with Netscape servers in addition to IIS.

This facilitates gov't-trusted banks doing business with clients with
generic MS browsers.
And it facilitates MS's growth in the web world.

Thoughts: 

Since US law (*) doesn't recognize digital IDs or the authority of
Verisign, this
implies the government has enforced some arbitrary judgement calls biassed
towards this system, no?
Additionally, the US would be seeming to trust the implementation in MS's
new DLL which
checks for and verifies signatures.  All in all, some clever/cunning
positioning by MS.

This is set up for banks, and the certificates are strong.  But they seem
like the weak
point --could a generic certificate be circulated amongst the Undesirables
so they
could enable this feature in IE browsers with the new DLL?


(*) I understand that the government of Utah now recognizes some form of
digital signatures.








------------------------------------------------------------
      David Honig                   Orbit Technology
     honig@otc.net                  Intaanetto Jigyoubu

	"How do you know you are not being deceived?" 
	---A Compendium of Analytic TradeCraft Notes, 
	Directorate of Intelligence, CIA