1994-07-28 - Questions about Microsoft and Software Key Escrow

Header Data

From: tcmay@netcom.com (Timothy C. May)
To: blancw@microsoft.com (Blanc Weber)
Message Hash: dd20a59925e731ad36dd26b3c956328b33e2b132bea16a3ff606278467813081
Message ID: <199407280504.WAA03278@netcom14.netcom.com>
Reply To: <9407280306.AA18192@netmail2.microsoft.com>
UTC Datetime: 1994-07-28 05:04:45 UTC
Raw Date: Wed, 27 Jul 94 22:04:45 PDT

Raw message

From: tcmay@netcom.com (Timothy C. May)
Date: Wed, 27 Jul 94 22:04:45 PDT
To: blancw@microsoft.com (Blanc Weber)
Subject: Questions about Microsoft and Software Key Escrow
In-Reply-To: <9407280306.AA18192@netmail2.microsoft.com>
Message-ID: <199407280504.WAA03278@netcom14.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


I've been in e-mail contact today and tonight with the MS paralegal I
mentioned: I urged him to make his comments to the list. It remains
clear to me, not denied by him, that MS is indeed in some process of
evaluating SKE, studying legal and export issues, etc. 

His own comments, including our exchange today, shows him to have
thought about these issues. (This doesn't make his conclusions, or
Microsoft's, "right," but it sure does mean the idea wasn't a new one
out of left field to them...thus confirming my point that it looks
like MS has work going on.)

Howver, all of these various points need to be verified, as I think I
was pretty careful (some would say overly careful) to say in my posts.

Blanc Weber answered David Merriman's questions, and I will provide
my own gloss on her comments:

> From: David K. Merriman
> 
> It has been brought up on the Cypherpunks mailing list that Microsoft is
> proposing to include public-key escrow as a *built-in* "function" of future
> products - Chicago and Daytona have been specifically mentioned.
> ...................................................................... 
> ..........
> 
> No, this is not correct.  It was speculation from Tim May on possible 
> developments, based on his interpretation of recent events and on email 
> which I sent to him.  This email was referring to the fact that his 
> concerns notwithstanding,  it is not an easy thing to implement a 
> privately-held key escrow system into a desktop operating system, that 
> Microsoft is not talking about implementing a 'software Clipper', and 
> is presently only *examining* the international ramifications of 
> software key-escrow and non-escrowed strong encryption security.

I certainly agree that there is no evidence MS is ready to deploy
code. But they appear to be evaluating plans, and possibly have been
talking to NIST/NSA and the export people. I really hope the MS can
comment on what they've been discussing.

(As to the issue of a "software Clipper," SKE could actually be much
worse than Clipper ever was likely to be. I knew of nobody planning to
buy Clipjacked phones, but I know a _lot_ of OS customers. The MS
person told me MS was planning to ensure a "voluntary" standard....you
all know the arguments about deploying a widespread infrastructure
that with the stroke of a pen could stop being voluntary. Talk about
"legitimate needs of law enforcement" (not the MS guy's line, that I
recall...call this paraphrasing) is pretty inconsistent with a
voluntary key escrow system!
> 
> Please give it this question the benefit of the doubt and postpone your 
> conclusions about this until I can get an official statement, thanks.
> 
> Blanc

My forte here on the list, I like to think, has always been to have
"extremely long-range radar" that can pick up trends far in advance.
Black Unicorn once told he this was my main strength, and even
everybody's second-favorite nemesis, David Sternlight said much the
same thing in sci.crypt. Coming from Sternlight, high praise indeed.

Well, this thing has my whiskers twitching.

I sense evidence that a whole sub-rosa series of negotiations has been
going on, that the SKE developed by TIS with inputs from NIST/NSA is
being pushed on the OS vendors. The talk about "exportability" is a
smokescreen....why should the U.S. insist on voluntary key escrow for
products shipped to repressive regimes? Since when is it the U.S.'s
job to enforce the crypto laws of other nations? Unless, of course, a
series of negotiations has been going on.

Something's rotten in the state of Denmark. And it ain't the herring.

By all means, give Microsoft the benefit of the doubt. But also
insist that they explain their work on SKE, and repudiate it.

--Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."




Thread