Microsoft denied the speculation and said that the key's name came from the fact that NSA was the technical review authority for U.S. cryptography export controls.
[citation needed] In addition, Dr. Nicko van Someren found a third key in Windows 2000, which he doubted had a legitimate purpose, and declared that "It looks more fishy".
[5][6] Richard Purcell, Microsoft's Director of Corporate Privacy, approached Campbell after his presentation and expressed a wish to clear up the confusion and doubts about _NSAKEY.
Immediately after the conference, Scott Culp, of the Microsoft Security Response Center, contacted Campbell and offered to answer his questions.
[6] The Mozilla page on common questions on cryptography describes how Microsoft signs CSPs: It is in fact possible under certain circumstances to obtain an export license for software invoking cryptographic functions through an API.
Another possibility is that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BIS's EAR.
[citation needed] Bruce Schneier believes that the above type of concern, i.e. NSA putting a key in Windows so it can load arbitrary backdoored CSPs, is unfounded.