[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: exporting signatures only/CAPI (was Re: Why not PGP?)




Adam Shostack <[email protected]> writes:
> | (Adam Back wrote:)
> | >The new owner of the CAPI signatory key would need a good reputation,
> | >and presumably a policy of signing any (non-GAKked) CAPI modules
> | >signed by microsoft, and anything else that anyone wants signed.
> 
> 	How does a signer maintain a reputation if it will sign
> anything anyone wants signed?  I can see a business for a non-US
> company to certify a CSP and sign it, but thats not the same as
> anything MS signs, or anything anyone else wants signed.
> 
> 	There may be room for compitition here. :)

I wonder if MS would stand for competition on signing crypto modules.
They say (I think?) currently that they will not charge for the
service?  (Do I have this right?)

If they start charging for the service, they won't want competition.

What about patches of windows, are there non-reverse engineering terms
in the license?

Lots of windows apps do modifications of windows, 3rd party memory
managers, uninstall applications.  Or are these all working within
published microsoft APIs?

What exactly is microsoft certifying when they sign a CAPI module?

That it is quality crypto?  Has no obvious bugs?  That it won't crash
your system?

(I'm sure people have already exported signatures about the quality of
crypto: PGP signed list traffic by (US) people that looked at PGP
source, and found no flaws, etc).

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)