Consensus needed for encryption export policy to succeed
Is a key recovery policy the answer to forestall this international turmoil?
San Francisco (02/11/97) -- In order for the Clinton Administration's encryption export policy to succeed, countries around the world must come to a consensus on key recovery, according to a government official and a chief scientist at a company that sells cryptography.
"We can't succeed if everybody else is going down a different road," William Reinsch, under secretary for Export Administration in the U.S. Department of Commerce (DOC), said yesterday during a press briefing at a DOC conference. He acknowledged, however, that U.S. officials "are not as far as we should be in bringing everybody together."
The Administration has been lobbying officials from other countries to promote key recovery systems for their own encryption export policies as part of discussions on general guidelines to be released next month by the Organization for Economic Cooperation and Development (OECD).
U.S. officials will also look for a different forum to address more specific issues related to coordinating disparate key recovery policies, Reinsch said.
The new policy allows U.S. firms to export 56-bit encryption if they agree to develop key recovery technology within two years.
Reinsch said it will be tricky to get policies in various countries to conform. Some policies are looser than the U.S. government's, while others are stricter.
For instance, while the Russians and Israelis have import controls, France requires government-approved key recovery and restricts imports to 40-bits. On the other side, the Swiss have no export restrictions, and the country is "oblique in its intentions," said Reinsch.
Critics to the U.S. policy argue that customers, particularly outside the U.S., generally oppose key recovery. But most of Cylink Corp.'s customers are willing to go along with key recovery in order to use strong encryption, said Chuck Williams, Cylink's chief scientist. However, the customers are demanding the ability to hold their own keys, he added.
Cylink is developing a system to enable it to serve as key recovery agent for customers, as well as technology that allows customers to serve as their own key recovery agents, Williams said.
Reinsch acknowledged that the section of the new regulations dealing with self key recovery needs clarification, partly to address concerns that the government will be able to exercise too much control over the key recovery agencies.
Both Reinsch and Williams said that aside from worldwide support, authorities need to establish an infrastructure that will enable key recovery.
The real surprise will be to see "how fast key recovery technology goes out there before the infrastructure is set," said Williams. Cylink tells its customers now to use the key recovery system at their own risk, he added.
The federal government is drafting legislation to deal with liability issues that will arise with key recovery agents and certification authorities. "We're thinking about restricting liability and requiring insurance," said Reinsch. "I don't think the infrastructure will take off to support the technology" until the liability issues are resolved.
Currently, officials are debating the number of types of key recovery infrastructures to have, he said. Meanwhile, the controversial regulations may be modified "on the margins," but the basic elements will stand, Reinsch asserted.
This week, the Department of Commerce gave approval to a fourth company seeking to export 56-bit encryption under the new regulations, and three or four more plans are being prepared, according to Reinsch who would not name the latest firm. Last week, executives from Cylink, Digital Equipment Corp. and Trusted Information Systems Inc. announced they had received export permission for 56-bit encryption.
Also yesterday, U.S. Congressman Bob Goodlatte of Virginia announced that he will reintroduce legislation next week that would prohibit the government from requiring key recovery and lifting the 56-bit export limit.
If you have technical problems with this magazine, contact email@example.com