[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Wired query on Windows 2000 and DES/3DES

To: "Declan McCullagh" <declan@wired.com>, <ipsec@lists.tislabs.com>
Subject: RE: Wired query on Windows 2000 and DES/3DES
From: "William Dixon" <wdixon@Exchange.Microsoft.com>
Date: Wed, 17 May 2000 10:23:30 -0700
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: Ab+/OSMHwqUhlzElTrOXN/mLwlSi/QA61F2g
Thread-Topic: Wired query on Windows 2000 and DES/3DES

Title: RE: Wired query on Windows 2000 and DES/3DES

I was out of town for Thurs eve-Sun, heads down for Wed & Thurs to get free, otherwise I could have replied to the list earlier. We essentially had 6 hours to reply from when I saw it Monday morning, so I spent all day Monday explaining & doing the process. Ron Cully & I had a detailed discussion with Declan Monday evening about why this functionality exists - he knew far more than he printed and I assume chose his words for the popularity of the anti-MS position. It is unfortunate that others on the list reacted the way they did on initial information and were quoted verbatim. The other Microsoft engineers who replied assumed they were talking to the IPSec developer audience - who are very familiar with the protocol and the real administrator issues for deployment using centralized policy for both client & server side IPSec transport configuration on hundreds or thousands of systems in a non-geographically, but administratively defined group vs. local configuration of a box.

I will post an explanation as soon as I can, but as you might expect I'm completely slammed with fire fighting, probably for the rest of the week. It has been in Win2k's IPSec implementation since beta1 and constantly briefed to customers, and documented everywhere we describe setting security levels, not to mention logged in two places, the application log always and the security audit log when auditing is enabled.

I would consider not installing the strong crypto pack a much more serious issue for the platform in general - since it limits all cryptographic services & protections in the operating system. The strong crypto pack should be on a floppy in every Win2k box shipped according to the new more-open US export rules, subject to Microsoft having received import allowance & sale to public allowances in the end-user political jurisdiction. That said, I understand the views of the people on the list and will get back to you. -Wm

-----Original Message-----
From: Declan McCullagh [mailto:declan@wired.com]
Sent: Tuesday, May 16, 2000 6:02 AM
To: ipsec@lists.tislabs.com
Subject: Re: Wired query on Windows 2000 and DES/3DES

My article is here:

http://www.wired.com/news/technology/0,1282,36336,00.html

Thanks, all for the help.

-Declan

Prev by Date: RE: more microsoft policy issues?
Next by Date: Re: Windows 2000 and Cicsco router interoperability
Prev by thread: Re: Wired query on Windows 2000 and DES/3DES
Next by thread: Q: Win2K L2TP/IPSec Compression
Index(es):
- Main
- Thread