If too much attractive stuff is available by loss of any one public key, that key gets attacked. To compensate for this, the TIS DRC generates new public keys periodically to give out to new (or old) customers.
However, a government warrant which demands the DRC's private key collection would gain quite a harvest.
The economics of the situation seem to dictate that whether you have one key or N keys, it's going to be cheaper to subvert the escrow agent (you guys or whoever) than it is to brute-force even one key. Therefore I'm not clear on how using multiple keys buys you much against the most probable threat -- opponents getting physical access to keys or the subversion of personnel who have legitimate access. Of course, it's still a good policy, reducing the payoff to those too timid to try the direct approach. But I think this threat is significantly less likely than a disgruntled employee selling the DRC private keys on a real instantiation of the Blacknet model, without even being solicited. You may feel very comfortable with the personnel and procedures you have in place now, but auditing and vetting systems are notorious for scaling very, very poorly. You may feel you can vouch for the trustworthiness of everyone at TIS now, but this sort of familiarity also scales very poorly. And clearly, were this to become commercially significant, it would need to scale quite a bit. Douglas Barnes Electric Communities