Canadian IT vendors want their government to remove all encryption export controls and to not follow the U.S. government's lead in imposing mandatory key recovery, an official at a Canadian security vendor said on Wednesday.
The Canadian government had asked for suggestions on what direction the country's cryptography policy should take. Vendors held a meeting on Tuesday in Ottawa to discuss the matter, said Paul Van Oorschot, chief scientist at Entrust Technologies, in Ottawa. Submissions to the government are due by April 21, he said.
"There was a general consensus toward liberalizing controls", said Oorschot, who was at the meeting. Liberalization could include allowing exemptions for certain industries, such as health care, but eventually, the vendors would like to see the government dissolve its requirement that companies apply for permits to export encryption stronger than 56 bits in key length, he said.
The Canadian government currently makes exceptions for financial institutions and subsidiaries of North American companies, as does the U.S. government. However, the U.S. government requires vendors to commit to implementing key recovery in their products before it allows them to export anything greater than 56 bits.
Under key recovery, official key recovery agencies would provide access to "keys" to law enforcement agencies to enable them to decode encrypted information in the event of a court order.
Voluntary key recovery, where companies maintain the keys themselves, is considered good business practice for stored data, Van Oorschot said. But for "session-oriented" data, such as Internet downloads, key recovery is not a corporate necessity and should not be mandated, he said.
The Canadian government doesn't want to offend the U.S. government, according to Van Oorschot.
There is "fear of some sort of economically devastating retaliations" if Canada snubs the U.S. government's efforts to internationalize its key recovery policy, Van Oorschot said.
Entrust was joined at the roundtable by representatives from Netscape Communications Canada, Northern Telecom, Hewlett-Packard Canada, Certicom, Electronic Frontier Canada, and the Information Technology Association of Canada.
Entrust Technologies Inc., in Ottawa, can be reached at http://www.entrust.com.