Netscape's use of the controversial key recovery in its software is driven by customer demand, not government policy, Marc Andreessen told Wired News on Tuesday.
"What people are having trouble grappling with is the separation between technology and policy," said Andreessen, Netscape's senior VP of technology, in response to a Wired News analysis of the key recovery features. "We are providing in our software the ability for any company - any of our customers - to implement whatever policy they want, including a policy of not enabling key recovery at all.
"I spend close to half my time with customers and I hear it all the time," said Andreessen. "Most mainstream companies cannot deploy a secure certificate-based infrastructure for either internal or external use without key recovery, since they need a way to recover information if someone gets hit by a bus."
So if a user does enable key recovery, and if the government where that user lives shows up and asks for keys, well, that's purely a government policy issue and one that exists independently of the software beneath it, he said.
The threat of government abuse of such technologies, says Andreessen, is over. "The original 'key escrow' scheme had the government maintaining a giant archive of all keys in use. Not only would this be practically impossible, but then the same government that freely shuffles around FBI files at whim would be able to go dipping into the key escrow archive at any time, without anyone knowing.
Netscape had announced details of its crypto plan earlier this month, in which strong crypto would be exported, but with some key recovery provisions - although its "on the wire" SSL encryption would not.
"Of course," Andreessen said, "we still believe that the government restrictions on our ability to export software that implements strong encryption overseas is damaging to the US technology industry and futile, and we continue to fight that policy issue every way we can."
