[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Microsoft & Key Escrow



These issues are also addressed at somewhat greater length than in the
FAQ in "Microsoft Policy on Export Controls on Encryption" at
http://www.microsoft.com/intdev/security/export/expcont1.htm (updated
since the recent Administration announcements).

rgds
tom
>-----Original Message-----
>From:	Blake Coverett [SMTP:[email protected]]
>Sent:	Wednesday, December 04, 1996 6:12 PM
>To:	'[email protected]'
>Subject:	Microsoft & Key Escrow
>
>Following are some of the relevent snippets from
>http://www.microsoft.com/intdev/security/export/exporfaq-f.htm.
>The comments in square brackets are mine.
>
>---cut here---
>What is Microsoft's position on supporting key escrow?
>
>Key escrow encryption is not a market-driven solution and it raises serious
>privacy concerns for many customers. It is also new, undeveloped, untested,
>and uncosted, and it will take a long time to be worked out. Additionally,
>customers have expressed hesitation about mandatory key escrow, especially if
>they have to give the keys to the government or a government-selected third
>party. Therefore, we are not actively adding support for key escrow in our
>products and technologies. 
>
>[About as good as we can ask for.  I would, however, like that last sentence
> better if the word 'actively' was missing.]
>
>Shouldn't the U.S. government be able to access information that could
>prevent terrorist acts and crime?
>
>Strong non-key escrow encryption is already available from retail outlets,
>foreign companies, and off the Internet. Thus the U.S. government is already
>having--and will continue to have--a harder time in the future accessing
>plain text regardless of U.S. export restrictions. 
>
>[I suppose it would be too much to expect a third sentence
> reading.  'This is a good thing.']
>
>What is key recovery? How does it relate to key escrow?
>
>Market-driven data recovery refers to a product feature that allows users to
>maintain a spare private encryption key in a safe place. Generally, a data
>recovery system escrows a copy of the session key with the message or file
>and the user (or perhaps his employer) controls the decision whether to
>utilize this feature. With key escrow the U.S. government holds or has access
>to a user's private encryption key. 
>
>It is not yet clear whether such systems are exportable. In the October 1
>announcement, the U.S. government referred to "key recovery" without defining
>it; in all likelihood, however, they still have in mind government key
>escrow, and not market-driven data recovery. 
>
>[Hmm... it's just possible that Microsoft's spin doctors are
> better than those of the US government.  Perhaps they can
> sell the world on their definition of 'key recovery' instead of
> the one we know the TLAs intended.]
>---cut here---
>
>regards,
>-Blake
>