>> Many of the interesting cases can be addressed by some mixture of >> extreme key fragmentation with escrow fragmented across a set >> of organizations that are both unable and unlikely to collude, but >> would co-operate with an appropriate third party if presented with >> the appropriate justification. > >That's theory that could reasonably sound appealing. Are there >real-world examples of a model like this showing the desired properties >that balance safety and utility? Also scalability. In the Apple iMessage system, every user has a separate key pair and only sends the public key to the Apple directory. How do you fragment and escrow all umpteen million of the private keys? A system in which Apple held a master key would be a major redesign and a major step backwards. Even a system where a key, once disclosed, allowed access to all future traffic with that key would not be desirable. R's, John