I am seeing a lot of messages in a lot of forums from IETF-ers denouncing the evils of 'key escrow' and 'key recovery'. While these sentiments are well intentioned, I would like people to be more precise with their language. In particular, people need to be precise in distinguishing 'Key Recovery' and 'Mandatory Key Recovery' and especially careful not to ascribe opinions to the IETF or the IETF security folk.
The issue with key recovery is consent and who has access to the keys, not whether key recovery is desirable.
If you are going to encrypt your pictures of the children when they were 2, you really don't want to find out that you can't read them any more because the decryption key has been lost. For 99.9% of users, the ability to guarantee access to their data is a vastly higher priority than frustrating government surveillance efforts.
Looking over the history of the first cryptowar, I think that we made a massive tactical mistake early on in deciding that the primary objective was to block Louis Freeh's powergrab at all costs and design technology accordingly. One consequence of that approach was to make the technology as incompatible with key recovery as possible, another was to demand end-to-end encryption or nothing.
The result was a pyrrhic victory. We won the battle, but as we have recently found out we lost the war, and decisively. Presenting end users with a choice of perfect security (according to our criteria) or nothing, the users chose nothing. And yes, I fully accept that I was as much to blame for that as anyone else.
So over the past couple of years I have been putting together a redesign of end-to-end secure email (and other applications) and recognizing that real users demand that there is absolutely no chance of them losing their precious data, I have built in key recovery at the ground floor. Every personal profile in the mesh has at least one key recovery key defined. Every time a keypair for static encryption is created, a key recovery block is created and escrowed.
If anyone is telling Congress that Key Recovery can't be made to work, they are completely wrong. I have the code to prove it.
The Mesh supports Key Recovery but it does not meet the goals of mandatory key recovery. Nor is it possible to meet such goals. While the reference code always generates a key recovery block when a keypair for static encryption is created, there is absolutely no way to know if the private keydata that has been escrowed actually corresponds to the public key that is in use. Nor is there any way I can extend the system to enforce a mandatory key recovery system without relying on technology that does not exist today and is about as likely to exist as technology for teleportation or telepathy.
This is the reason why it is important to be precise with language, it is not the 'key recovery' part that is hard, it is the 'mandatory' part. People can and do leave keys under the mat for themselves, it is being required to do so for the use of the federal police and intelligence agency that creates the problems.
In short:
Key Recovery is like sex, you can live without it but you really don't want to try.
Mandatory key recovery is key recovery without knowledge, consent or control.