Wired.com:

> "The key is a Microsoft key -- it is not shared with any party including
> the NSA," said Windows NT security product manager Scott Culp. "We don't
> leave backdoors in any products."
>
> "The only thing that this key is used for is to ensure that only those
> products that meet US export control regulations and have been checked can
> run under our crypto API (application programming interface)," Culp said.
>
> "It does not allow anyone to start things, stop services, or allow
> anything [to be executed] remotely," he said.
>
> "It is used to ensure that we and our cryptographic partners comply with
> United States crypto export regulations. We are the only ones who have
> access to it."

So is this NSAKEY actually used to validate ay CSPs?  Are there CSPs
out there which depend on this key, CSPs which have passed crypto
export review?  If so, the claims that the key can be removed without
impact are false.  If not, Carp's explanation cannot be believed.

Someone should ask Carp if export-approved CSPs use this NSAKEY, as
he implies.  If they don't, and if export-approved CSPs are signed with
the regular Microsoft key instead, he should be made to explain what
exactly this key is used for.

Reply via email to