At 07:19 PM 7/9/96 -0400, George Kuzmowycz wrote:

The June 10, 1996 Network World carried a story on page 8 under the title "Microsoft breaks crypto barrier", which starts off as follows:

" Microsoft Corp. last week said it will include cryptography-based security technology in its operating systems, messaging product and Web browser through a new set of APIs that will be available both in the U.S. and overseas.

" The fact that the National Security Agency is allowing Microsoft to export the cryptographic APIs is somewhat of a coup for the software vendor, although the NSA did nothing to alter the current export ban on strong encryption."

Later on, it says:

" Microsoft's Crypto APIs will be available to third-party vendors writing applications with embedded security. But the hardware or software Crypto-engines for these applications will need to be digitally signed by Microsoft before they will work with the APIs. Under an unusual arrangement with the NSA, Microsoft will act as a front man for the powerful U.S. spy agency, checking on whether the vendors' products comply with U.S. export rules."

Unexplained: What if the program Microsoft is asked to sign is not intended for export? Presumably, NSA has no authority, then, and thus presumably Microsoft shouldn't be able to refuse to sign anything they're asked. Question: Doesn't this set up an action by Microsoft which would be actionable under anti-trust laws (if it wasn't done at the behest of government?) Couldn't somebody IMPORT a piece of encryption software, have it signed by Microsoft, then take the XOR of the signed and unsigned software and export it? (It's not a tool capable of encryption...) Or: Microsoft presumably has foreign branches, or at least it could easily afford to set up one. What's to stop Microsoft from signing foreign encryption software outside of the US? The software is never exported (since it's already outside the country...), so there's no USA-law involv ement. Jim Bell jimbell@pacifier.com