[7222] in cryptography@c2.net mail archive
Re: Andrew Fernandes on NSA back doors
daemon@ATHENA.MIT.EDU (John Young)
Sun May 28 16:52:51 2000
Message-Id: <200005281636.MAA16635@granger.mail.mindspring.net>
Date: Sun, 28 May 2000 12:23:44 -0400
To: "Arnold G. Reinhold" <reinhold@world.std.com>, cryptography@c2.net
From: John Young <jya@pipeline.com>
In-Reply-To: <v04210103b556d9dc77e7@[24.218.56.92]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Arnold Rheinhold wrote:
>I'm afraid I don't find Mr. Fernandes' argument convincing. ...=20
>To me the mystery is why Microsoft is unwilling to fully explain its=20
>actions. Perhaps there are other details they do not wish to reveal.=20
>For example, since each CAPI module to be signed would require BXA=20
>approval beforehand, NSA may have wanted the tokens kept at a trusted=20
>third part, perhaps some law firm, giving BXA positive control over=20
>what gets signed. Whatever the reason, the _NSAKEY incident=20
>demonstrates that Microsoft has some secret relationship with NSA.
Note that the exchange with Duncan occurred while MS is butting
heads with DOJ. And the breakoff occurred in the possible
death struggle to keep MS a single company. Would MS squeal on
NSA during this crucial time? Not likely. Would it ask for help from
NSA in placating DOJ, say for two companies rather than three?=20
Possibly, if it could be kept quiet, especially from Judge Jackson.
Would MS set up a covert company for government work if it has
not already done so? Probably, if the pattern of other corporations=20
is followed. In that case, all records are excluded from FOIA.
The tone of MS's exchanges with Duncan certainly sounds like
those who are forbidden to go beyond a precise limit as to what
can be disclosed. Few say that the reason is an NDA for even
that cannot be revealed in most cases.
Another person at Microsoft, head of MS crypto in France,
commented (stonewalled) in response to a ZDNet (FR) article=20
(this too forwarded by Duncan though it was not written to him):
[Sent to ZDNet, No date]
Monsieur,=20
=20
Je vous remercie pour l=92article tr=E8s int=E9ressant publi=E9 sur ZDNet
(http://www.zdnet.fr/actu/tech/a0014367.html).
=20
Je souhaite cependant apporter quelques pr=E9cisions concernant=20
le r=F4le de la NSA, et sur le fait que les =E9diteurs soient dans=
l=92obligation=20
de fournir le code source au NSA pour obtenir les autorisations=20
d=92exportation.=20
=20
La revue technique effectu=E9e par le BXA n=92implique pas la fourniture=20
du code source, ni d=92extrait de code source. La d=E9claration n=92est=20
qu=92une documentation d=E9crivant les capacit=E9s d=92encryption et
sa force, ainsi que des justifications pour obtenir une licence export=20
sans restriction.
=20
Le process est clairement document=E9 par le site de la BXA=20
(Bureau des Exportations du D=E9partement du Commerce=20
am=E9ricain): http://www.bxa.doc.gov/Encryption/enc.htm. =20
Comme vous pouvez le constater, il n=92est fait nulle part=20
mention de fourniture du code.
=20
Dans un pass=E9 assez lointain cependant pour exporter=20
des produits =E0 40-bit, il =E9tait offert comme possibilit=E9 parmi=20
d=92autres, la fourniture du code source. Comme vous vous=20
en doutez, les grands =E9diteurs ont toujours pr=E9f=E9r=E9 les=20
autres m=E9thodes dont celle dite du "40-bit vector tests" qui
consistait par une s=E9rie d=92exemple =E0 prouver que le syst=E8me=20
fonctionnait bien avec un niveau de s=E9curit=E9 =E0 40 bits.=20
Dans l=92esprit tout au moins, cette m=E9thode ressemble =E0=20
celle demand=E9e aujourd=92hui encore par le SCSSI pour les=20
autorisations et d=E9claration d=92utilisation g=E9n=E9rale.
=20
Cordialement,
=20
Pierre-Henri Fr=E9vol
En charge des affaires Crypto
Microsoft France
