--- begin forwarded text X-Sender: dstoler@gptmail.globalpac.com Mime-Version: 1.0 Date: Tue, 13 Oct 1998 05:38:59 -0700 To: Pablo Calamera <pablo@microsoft.com>, rah@shipwright.com, mac-crypto@vmeng.com From: dstoler@globalpac.com (dstoler) Subject: Re: FYI: More on WebTV security Cc: jimg@mentat.com Dear all, This message discusses Microsoft's recent press release where they announce unlimited 128 bit RC4 export approval for WebTV users in Japan and the UK with no key escrow. They announce secure email between WebTV users in addition to security for financial services, web shopping, etc. http://www.microsoft.com/presspass/press/1998/Oct98/EncryptionPR.htm (See the end of this message for key paragraphs of the press release.) I rarely post messages on the crypto mailing lists. I am sufficiently disturbed by Microsoft's recent WebTV press release that I feel compelled to comment. The press release implies that there is secure end-to-end email between two WebTV customers. Perhaps I am overly cynical, but I am guessing that they are using SSL (TLS) from a web based email application on the client to WebTV's servers. I presume email data is decrypted at the servers, then re-encrypted to the recipient when she uses the WebTV client to read email. This approach would allow access to private email at the servers by WebTV employees or law enforcement agencies. Note the careful use of the phrases "unauthorized party" and "without posing undo risks to national security and law enforcement" in the press release. I believe that WebTV's email security is directly coupled to their ability to establish and enforce good security policy within their operation and the trustworthiness of the employees who have access to sensitive data. I am concerned that carefully constructed wording of Microsoft's press release implies stronger email security than really exists. I hope I am wrong. David Stoler Key paragraphs from Microsoft's press release: WebTV Networks has been granted the first export license to use strong 128-bit encryption for any user and any application in Japan and the United Kingdom. So, for example, an e-mail message with personal information sent from a WebTV subscriber in Japan to a second WebTV subscriber in Japan will be sent securely because there is no known technology by which an unauthorized party could intercept and decipher it. Therefore, as part of the WebTV Network, the WebTV-based Internet terminal (starting at under $100) is now the most secure communications device available from a U.S. company. "WebTV Networks' export approval is a significant step for industry and reflects the U.S. government's commitment to promoting e-commerce abroad," said William Reinsch, U.S. undersecretary for export administration. "The WebTV Network provides secure communications for its customers and partners without posing undue risks to national security and law enforcement." --- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'