Adam Shostack <adam@homeport.org> writes:
| (Adam Back wrote:) | >The new owner of the CAPI signatory key would need a good reputation, | >and presumably a policy of signing any (non-GAKked) CAPI modules | >signed by microsoft, and anything else that anyone wants signed.
How does a signer maintain a reputation if it will sign anything anyone wants signed? I can see a business for a non-US company to certify a CSP and sign it, but thats not the same as anything MS signs, or anything anyone else wants signed.
There may be room for compitition here. :)
I wonder if MS would stand for competition on signing crypto modules. They say (I think?) currently that they will not charge for the service? (Do I have this right?) If they start charging for the service, they won't want competition. What about patches of windows, are there non-reverse engineering terms in the license? Lots of windows apps do modifications of windows, 3rd party memory managers, uninstall applications. Or are these all working within published microsoft APIs? What exactly is microsoft certifying when they sign a CAPI module? That it is quality crypto? Has no obvious bugs? That it won't crash your system? (I'm sure people have already exported signatures about the quality of crypto: PGP signed list traffic by (US) people that looked at PGP source, and found no flaws, etc). Adam -- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)