Re: Micro$oft and Java

[Joel McNamara <joelm@eskimo.com>]

I was at the Microsoft presentation.  Crypto-relevant info:

A patch will be published in the next few days to address the weak .PWL
encryption.  I got a rather lame excuse about how the encryption was first
implemented in 1991, and how it was sufficient then.  They will supposedly
be changing the seed.

I asked about what MS was doing in regard to future strong crypto.  Got an
interesting response in that that "the government was going to let them
implement 768 bit keys."  I later asked an MS person if these were RSA
session keys or what.  He said yes, but I really don't think he knew what he
was talking about based on some of his other comments.

Visual Basic Script will be MS's response to JavaScript.  The interesting
thing here is a plan to use digital signatures on controls and scripts as a
means of authentication.  The comment was made "you'd trust something signed
by Lotus or some other big name, but you probably wouldn't be that trustful
of a piece of shareware."  Hmmm...

MS will be releasing a "safe" runtime version of Visual Basic that will
supposedly prevent nasty virii and trojan horses from being implemented on
Web pages.  IMHO, Perry's previous comments on the security of Java apply.

Servers and some clients will support end-to-end encryption.  No details...

I didn't ask about GAK.  Bill said there was a white paper explaining
Microsoft's position on encryption.  Maybe I'll test the search capabilities
of the MS Web site later tonight.

Overall, the presentation was interesting (but obviously lacking in
technical details as the audience was mostly press).  MS is going to throw a
lot of resources at this in order to maintain its industry dominance.

Thought for the day.  Bill on the relevance of the briefing being held on
Pearl Harbor day quoted Admiral Yamamoto after the 1941 attack, "we have
awoken a sleeping giant."  Draw your own conclusions on that one...

Joel