From: geeman@best.com
Date: Tue, 19 Mar 1996 04:17:49 +0800
To: Rich Graves <llurch@networking.stanford.edu>
Subject: Re: M$ CryptoAPI Question
Message-ID: <199603181624.IAA24559@dns2.noc.best.net>
MIME-Version: 1.0
Content-Type: text/plain


At 12:02 AM 3/18/96 -0800, you wrote:
>
>If the good guys can find a way to plug an unapproved international
>strong-crypto module into the CryptoAPI, then the bad guys can find a way
>plug in a no-crypto virus or trojan horse. 
>

You want to prove:
(A)
IF you CAN plug in an unapproved module
THEN you CAN plug in a trojan/virus.

That doesn't mean, however, that:
(B)
IF you can't plug in an unapproved module
THEN you can't plug in a trojan/virus.

The subversion mechanisms would just not use the standard API.  
So what have you really proved if you can prove (A)?

>-rich@c2.org
> http://www.c2.org/hackmsoft/ and other cool stuff
>
>