[5511] in cryptography@c2.net mail archive
Re: NSA key in MSFT Crypto API
daemon@ATHENA.MIT.EDU (John Gilmore)
Fri Sep 3 18:17:01 1999
To: "Salz, Rich" <SalzR@CertCo.com>
Cc: "'Lucky Green'" <shamrock@cypherpunks.to>,
"cypherpunks@Algebra. COM" <cypherpunks@Algebra.COM>,
"Cryptography@C2. Net" <cryptography@c2.net>,
bugtraq@securityfocus.com, gnu@toad.com
In-reply-to: <29E0A6D39ABED111A36000A0C99609CA51D43B@macertco-srv1.ma.certco.com>
Date: Fri, 03 Sep 1999 13:32:19 -0700
From: John Gilmore <gnu@toad.com>
> >http://www.cryptonym.com/hottopics/msft-nsa.html
>
> Perhaps more interestingly, the program lets you replace the key, too.
Microsoft prevents third parties from installing un-authorized crypto
code under CAPI by checking the signature on the code. Under their
export deal, they refuse to sign anyone's non-US code that does strong
crypto. So if you want to add your own strong crypto, you need to sign
it with a key that the CAPI recognizes. You could patch out Microsoft's
key but then the Microsoft modules won't load properly. It works
better to patch out NSA's key with your own -- then you can load both
your own crypto code and all the standard MS stuff.
John
