On 9 Jul 96 at 20:34, jim bell wrote: [..]

Unexplained: What if the program Microsoft is asked to sign is not intended for export? Presumably, NSA has no authority, then, and thus

They could insist on only signing exportable software, and in theory use that as ITAR-relaxing leverage. Methinks it's a bad move to only have MS sign software... presumably they won't outright refuse to sign competitors software. It would be a conflict of interest for them not to... very usable as evidence against MS in an anti-trust suit. Independent CA's would be better. IMO, it gives a false sense of sucurity to even require crypto apps to be signed. A lot of folks would want a developer's kit (probably cost $$$) to get around that requirement... nice loophole, BTW, for those that can afford it. Or until somebody patches the code to ignore bad signatures of lack of them and releases the patch. Oh yeah... false sense of security in that if an app is signed, it must be secure. Will the new Windows wipe all temporary files and the swap file? Otherwise it makes a CryptoAPI meaningless. There'll be a problem with PGPlib as well... what if people want to compile their own version? Assuming MS will even sign it... that will be a quagmire. It's likely that if strong crypto is not implemented in the MS API (or it is done so in an insecure fashion), hardly anyone will use it.

presumably Microsoft shouldn't be able to refuse to sign anything they're asked.

Why? Assuming there were no export restrictions... if it's signed by MS, people will take it to mean that MS is vouching for it. If they sign a library that does 'naughty things' or is an incredibly incompetant implementation of an algorithm, it could turn out to be bad PR for them. (Hm... they could use this as an excuse to read competitor's source code.) [..]

Couldn't somebody IMPORT a piece of encryption software, have it signed by Microsoft, then take the XOR of the signed and unsigned software and export it? (It's not a tool capable of encryption...)

Under that logic, I could do the same to a PGP distribution. I doubt the state department would look at it that way, or a jury for that matter. If you want to risk a few years in Federal Prison, go ahead... though chances are crypto-apps seem to make it out of the country anyway... --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl@unix.asb.com (root@magneto) AB1F4831 1993/05/10 Deranged Mutant <wlkngowl@unix.asb.com> Send a message with the subject "send pgp-key" for a copy of my key.