[2727] in cryptography@c2.net mail archive
Re: FYI: I believe Microsoft has knowingly violated the export rules
daemon@ATHENA.MIT.EDU (Mok-Kong Shen)
Wed May 20 13:18:25 1998
Date: Wed, 20 May 1998 18:33:38 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Marc Horowitz <marc@cygnus.com>, cryptography@c2.net
Marc Horowitz wrote:
> Because you are new, you didn't see a recent thread.
>
> The existence of crypto in the OS (SSPI, MSRPC, whatever) matters very
> much, because it affects whether or not communications between average
> people (say, my mother and my sister) are secure. Neither of them is
> going to run an "independent strong encryption program". It happens
> automatically, for everyone, or it might as well not happen at all.
> If you have to be paranoid to get security, we've already lost.
I see that if a vendor provides a good encryption algorithm and
SSPI can automatically invoke that then it is convenient for the
user. But there is also a problem of how good that algorithm is.
(In a certainly fancy case that algorithm could leak information
to a certain party.) If a user uses his own algorithm then he
knows (or believes) the quality of that. It is certainly not so
convenient because he has to start a program to encrypt each
message. Perhaps you meant that because of that inconvenience people
wouldn't do it. But I think it is really not much more than a matter
of making oneself accustomed to the procedure, analogous to the
practice of sealing the envelopes of letters (the post office does
not require sealing but most people seal their letters). In fact
what one has to do is to compose with an editor, save the file,
start the encryption and send the resulting file, a sequence of
actions that could be started by typing in the name of a suitably
written 'procedure' of the system. There is of course the question of
availability of good encryption software. But that perhaps could be
reserved for a separate thread of discussions.
M. K. Shen
