[3018] in WWW Security List Archive
CryptoAPI & Export (was CryptoAPI 2)
daemon@ATHENA.MIT.EDU (Tom Johnston)
Fri Sep 20 21:06:18 1996
From: Tom Johnston <tomj@microsoft.com>
To: "'adam@homeport.org'" <adam@homeport.org>,
"'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Fri, 20 Sep 1996 16:09:15 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
>Notes, comments and corrections to Adam's mail regarding CryptoAPI's
>requirement that CSP's be signed to execute.
>
>First of all, Microsoft would like to see the current government restrictions
>relaxed (check out our export policy:
>http://www.microsoft.com/intdev/security/export/expcont1.htm).
>
>Our goal with CryptoAPI is to make the API itself fully exportable -- all of
>our systems platforms can ship with CryptoAPI - and as much as possible, keep
>the burden of export compliance on cryptographic service provider (CSP)
>developers -- who write crypto code and have this burden today - and away
>from the application developer. To comply with the law, all CSPs must be
>signed before they will load. This applies to all CSP's: strong, export
>strength, signature-only, etc.
>
>CryptoAPI looks for a signature for each cryptographic service provider. The
>signatures don't expire. They're not specifying trust in the algorithm or
>person; they merely make sure that the CSP hasn't been altered, and that it
>complies with ITAR restrictions if they apply. Without this signature method
>or something substantially similar, CryptoAPI itself would not be exportable.
>
>Regarding competition, we will sign a competitor's CSP (assuming that have
>the appropriate export licenses, or state that it's only for North America).
>
>Finally, are ISV's better off using CryptoAPI or incorporating other
>cryptographic libraries that don't use the signed service provider model? We
>expect U.S. export authorities will waive the CJ requirement for
>CryptoAPI-enabled applications that do not otherwise implement secure
>functions, as soon as their regulations have been amended to allow them to do
>so. We are working with U.S. export authorities to identify any areas of
>concern or types of CryptoAPI-enabled applications that still might require
>CJ or other licensing review.
>
> -TJ
>
