The US government has delivered on hints that encryption policy would be loosened by saying it will allow both Netscape and Microsoft to export software that includes 128-bit encryption technology to banks worldwide for protection of online financial transactions.
Specifically, Netscape received permission from the US. State Department to export its Communicator Web browser client software, featuring 128-bit encryption capabilities. In addition, Netscape can now also export its SuiteSpot server software using 128-bit encryption to certified banks worldwide.
Microsoft got its go-ahead from the US Commerce Department. The company says it will incorporate 128-bit encryption in all domestic and export versions of Microsoft products dealing with the Internet, beginning with Microsoft Internet Explorer 4.0, Microsoft Money 98 and Microsoft Internet Information Server.
Both companies use the Secure Sockets Layer (SSL) protocol.
The government's export approval for 128-bit encryption does not require the use of key escrow - the storage of encryption keys to enable law enforcement officials to recover users' messages - but it does require a key recovery mechanism.
Under key recovery, a government-approved third-party holds the keys to encrypted data, allowing the US government to get access to encrypted data with proper court documents.
While Netscape is working with VeriSign on key recovery, Microsoft says it will turn the certificate mechanism over to a reliable third-party group at the appropriate time.
"We are still looking at various companies and eventually will pick the best one," says Mike
Dusche, Microsoft's financial services industry manager, declining to name candidates.
Analysts view the announcements of 128-bit export authorizations as being in line with the U.S. government's intention to relax its stand on encryption technology.
"All of this is likely to mean that the Clinton administration is relaxing its draconian rule on encryption," says Larry Dietz, vice president at Zona Research. "It's not an abandonment but a relaxation."
Microsoft's Dusche says that when an announced relaxation of US electronic-commerce export regulations occurs in the next several months, the Microsoft license will be updated to extend strong security to other financial institutions such as investment, brokerage and insurance firms, and to make available even more secure key lengths.
"Microsoft continues to support the position of the Business Software Alliance, which calls for an immediate relaxation of export rules," Dusche says.