by
Stewart Baker
sbaker@steptoe.com

Fritz Fielding
rfielding@steptoe.com

December 1997

We've had several conversations with various officials in the Administration regarding the Secure Socket Layer (SSL) protocol. Our objective is to get more flexible export policies for SSL compliant products. Currently, export approvals appear to limit exports of 128-bit SSL products to banks and subsidiaries of U.S. companies.

The Administration has resisted approving exports to a broader set of end-users. They have reasoned that unless the SSL is implemented with public key cryptography and the users' keys are escrowed, law enforcement cannot get access to the plaintext without going to the operator of the system to recover the plaintext from the server. Getting cooperation when the operator of the system is also the target of the investigation would be a problem.

After some extended discussions, our contacts acknowledged that there is no practical difference between approving self escrow and approving an SSL system. If the government believes it can get a key from the end-user's organization then the government should also believe that it can get access to that same organization's server where the end-user's plaintext is assuredly available by virtue of the way the SSL protocol operates. There are criteria for deciding who may self escrow and perhaps the same or similar criteria should apply to SSL.

We think the Administration may be ready to be flexible because they realize SSL is too widespread to block for too much longer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: +202-429-6411, fax: 202-429-3902 or E-mail: bedering@steptoe.com.