Microsoft heeft een reaktie geplaatst op een NSA-security backdoor verhaaltje van Cryptonym (die deze nieuwsposting). Als we Microsoft moeten geloven dan is er allemaal niets aan de hand en is de NSA key gewoon wat ongelukkig genaamde backup key:
Q: Why are there two keys? A: There is a primary and a backup key.
Q: Why is a backup key needed? A: The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows 95, 98 and Windows NT. Clearly, this would be a massive undertaking.
This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.
Q: Why the backup key labeled "NSA key"?
A: This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.