Netscape Communications Corp has become the latest company to win the blessing of the US government to export its software that uses encryption above the mandatory 40-bit limit. Once a company, like Netscape, convinces the US Commerce Department that it has a plan to implement key recovery, whereby government-approved third parties hold keys to unlock the data if the appropriate court order is obtained, the company is then allowed to export up to 56-bit key encryption technology. In Netscape’s case this applies to its e-mail software, so that for each employee, companies using Netscape e-mail software would have two keys: one for the employee’s digital signature and one that could be held in escrow with a trusted third party. Once this plan is implemented, with software written and ready that uses the encryption, the company can apply for unlimited key size, which is exactly what Netscape is doing now. But Netscape chief scientist Taher Elgamal said the other half of Netscape’s plan, that it hopes will secure a license to export its web servers with unlimited encryption capabilities, is different from the handful of other companies granted a license, because it doesn’t require any key recovery or escrow. Instead it relies on data recovery through web servers. He said that as most users are not authenticated by using keys or digital signatures, and are therefore anonymous, as long as Netscape can prove that it can get access to data on its own web servers, then it should be given license to export any level of encryption. Elgamal said other vendors have tried to do key recovery by embedding keys in Secure Socket Layer (SSL) sessions, but that changes the protocol, and with tens of millions of browsers out there, such a change would prove a logistical nightmare, he claimed. Getting approval for the 56-bit part took Netscape about two months, and Elgamal didn’t want to try and predict how long the government would take with the second half of the plan. Other companies that have received permission to do 56-bit encryption are IBM, DEC, Trusted Information Systems Inc and Open Market Inc.
