[3024] in WWW Security List Archive
Re: CryptoAPI & Export (was CryptoAPI 2)
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sat Sep 21 20:30:31 1996
From: Adam Shostack <adam@homeport.org>
To: tomj@microsoft.com (Tom Johnston)
Date: Sat, 21 Sep 1996 18:52:10 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <c=US%a=_%p=msft%l=RED-71-MSG-960920230915Z-39248@tide21.microsoft.com> from "Tom Johnston" at Sep 20, 96 04:09:15 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Tom Johnston wrote:
| >Notes, comments and corrections to Adam's mail regarding CryptoAPI's
| >requirement that CSP's be signed to execute.
| >
| >First of all, Microsoft would like to see the current government restrictions
| >relaxed (check out our export policy:
| >http://www.microsoft.com/intdev/security/export/expcont1.htm).
I'll admit to knowing that you folks are big supporters of the
BSA, which lobbies for better rules.
| >Our goal with CryptoAPI is to make the API itself fully exportable -- all of
| >our systems platforms can ship with CryptoAPI - and as much as possible, keep
| >the burden of export compliance on cryptographic service provider (CSP)
| >developers -- who write crypto code and have this burden today - and away
| >from the application developer. To comply with the law, all CSPs must be
| >signed before they will load. This applies to all CSP's: strong, export
| >strength, signature-only, etc.
Which law is that that you're complying with? If an
Australian programmer wants to load a Swiss CSP, why is Microsoft
getting in the way?
Or can I configure CAPI to use signatures of my choice?
It appears to me that you're being used by the ITAR folks to
allow them to restrict the use of Crypto software developed outside
the US which before they couldn't touch.
| >CryptoAPI looks for a signature for each cryptographic service provider. The
| >signatures don't expire. They're not specifying trust in the algorithm or
| >person; they merely make sure that the CSP hasn't been altered, and that it
| >complies with ITAR restrictions if they apply. Without this signature method
| >or something substantially similar, CryptoAPI itself would not be exportable.
No, you're ensuring that compliance with ITAR rules occurs on
all software outside of the US, irrelevant of that software ever
entering the US. Or can I use a German CSP on my British computer?
Why do I need a signature generated in the US?
| >Regarding competition, we will sign a competitor's CSP (assuming that have
| >the appropriate export licenses, or state that it's only for North America).
And you'll sign foriegn CSPs outside the USA?
| >Finally, are ISV's better off using CryptoAPI or incorporating other
| >cryptographic libraries that don't use the signed service provider model? We
| >expect U.S. export authorities will waive the CJ requirement for
| >CryptoAPI-enabled applications that do not otherwise implement secure
| >functions, as soon as their regulations have been amended to allow them to do
| >so. We are working with U.S. export authorities to identify any areas of
| >concern or types of CryptoAPI-enabled applications that still might require
| >CJ or other licensing review.
Thus MS teams up with the US Government to enforce US rules around the
globe. I hope they're paying you well.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
