At 04:51 AM 7/10/96 +0000, Deranged Mutant wrote:

On 9 Jul 96 at 20:34, jim bell wrote: [..]

...

Unexplained: What if the program Microsoft is asked to sign is not intended for export? Presumably, NSA has no authority, then, and thus

They could insist on only signing exportable software, and in theory use that as ITAR-relaxing leverage.

Methinks it's a bad move to only have MS sign software... presumably they won't outright refuse to sign competitors software. It would be a conflict of interest for them not to... very usable as evidence against MS in an anti-trust suit. Independent CA's would be better.

Yes, that's the anti-trust vulnerability I mentioned. It is unclear if Microsoft could legitimately refuse to sign any software presented to it, regardless of its legal exportability.

IMO, it gives a false sense of sucurity to even require crypto apps to be signed. A lot of folks would want a developer's kit (probably cost $$$) to get around that requirement... nice loophole, BTW, for those that can afford it. Or until somebody patches the code to ignore bad signatures of lack of them and releases the patch.

I'm sure that will happen!

...

presumably Microsoft shouldn't be able to refuse to sign anything they're asked.

Why? Assuming there were no export restrictions... if it's signed by MS, people will take it to mean that MS is vouching for it. If they sign a library that does 'naughty things' or is an incredibly incompetant implementation of an algorithm, it could turn out to be bad PR for them. (Hm... they could use this as an excuse to read competitor's source code.)

What MS would be signing for is the GENUINENESS of the software, not its effectiveness. Sorta analogous to key-signatures in PGP. Jim Bell jimbell@pacifier.com