John Young wrote on 1999-09-07 09:05 UTC:
> Assuming the key is a backdoor to intercepted encrypted information,
> Microsoft would be walking on very thin ice indeed, but may have severe
> legal problems in any event. The federal wiretapping statute is very
> clear in its prohibitions against advertising or distributing in
> commerce "devices" for intercepting electronic communications.
This calls for a small Critical Thinking[TM] exercise:
If company X produces and distributes a telecommunications product Y
that does not provide a sufficient degree of message secrecy against
signal intelligence agency Z, and if in addition X never has claimed or
implied that Y provides message confidentiality against Z, do you really
believe that you could sue X for doing so?
Wouldn't this in effect also allow you to sue every US telefone
manufacturer for shipping products with a built-in NSA backdoor by
implementing a 0-bit cipher? Or the developer of my email software?
And all of this aside the rather obvious observation, that the CPS
verification keys are in no way relevant or effective for user data
protection and only protect the NSA from US exports of an OS that can
work with strong CSPs. Again: The NSA doesn't need their own key to sign
*weakened* cryptographic Trojan modules, because Microsoft has already
been shipping with public knowledge *signed* *weak* 40-bit cryptographic
modules for years, because these are the only ones they were allowed to
sell in Europe.
For more information about what is going wrong in this discussion,
please check out
http://www.criticalthinking.org/K12/k12library/library.nclk
Markus
--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
