1996-10-13 - Re: exporting signatures only/CAPI (was Re: Why not PGP?)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: adam@homeport.org
Message Hash: 619d49600f7a999367ec51035a2d55fa33a95105401dd00dd7fdb6c20399feff
Message ID: <199610130802.JAA00335@server.test.net>
Reply To: <199610121908.OAA19871@homeport.org>
UTC Datetime: 1996-10-13 10:13:30 UTC
Raw Date: Sun, 13 Oct 1996 03:13:30 -0700 (PDT)

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 13 Oct 1996 03:13:30 -0700 (PDT)
To: adam@homeport.org
Subject: Re: exporting signatures only/CAPI (was Re: Why not PGP?)
In-Reply-To: <199610121908.OAA19871@homeport.org>
Message-ID: <199610130802.JAA00335@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain



Adam Shostack <adam@homeport.org> writes:
> | (Adam Back wrote:)
> | >The new owner of the CAPI signatory key would need a good reputation,
> | >and presumably a policy of signing any (non-GAKked) CAPI modules
> | >signed by microsoft, and anything else that anyone wants signed.
> 
> 	How does a signer maintain a reputation if it will sign
> anything anyone wants signed?  I can see a business for a non-US
> company to certify a CSP and sign it, but thats not the same as
> anything MS signs, or anything anyone else wants signed.
> 
> 	There may be room for compitition here. :)

I wonder if MS would stand for competition on signing crypto modules.
They say (I think?) currently that they will not charge for the
service?  (Do I have this right?)

If they start charging for the service, they won't want competition.

What about patches of windows, are there non-reverse engineering terms
in the license?

Lots of windows apps do modifications of windows, 3rd party memory
managers, uninstall applications.  Or are these all working within
published microsoft APIs?

What exactly is microsoft certifying when they sign a CAPI module?

That it is quality crypto?  Has no obvious bugs?  That it won't crash
your system?

(I'm sure people have already exported signatures about the quality of
crypto: PGP signed list traffic by (US) people that looked at PGP
source, and found no flaws, etc).

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)





Thread