liberal (Japan) to non-liberal (France). We believe that "binding cryptography" is flexible enough to achieve this: a liberal crypto policy might use no Trusted Retrieval Parties at all, while a very non-liberal country might want one (government controlled) TRP, a compliance check on all network traffic and a ban on other crypto. I doubt that even French internet providers would want their routers to perform six modolo exponetiations and four modolo divisions whenever someone opens a secure socket... We offered a solution for the *first* task not for the *second*; the point is that criminals(!) do not gain any real advantage from using the system in that way as they - among other things - still face the key-management problem. The above dicussions are only relevant in countries where the use of crypto outside the structure would be prohibited. Of course, criminals do get real advantage from this system. They can use strong encryption for their messages and super-encrypt them using "binding" cryptography. So their illegal messages look perfectly inconnous as long as their government trusts in the "binding" property of this scheme. Only when the GAK key holder tries to decrypt a message, they notice that they cannot read it. Can you imagine that anyone would ever create a program that tries to look like a conforming implementation, but generates invalid "binding" data -- when it is so much easier to simply use PGP, and (if necessary) disguise that fact using the government-approved encryption software? I don't, so in my opinion the verification process is abolutely useless. One might say, binding cryptography, like several other cryptographic protocols, is a nice 'solution', but one with no corresponding 'problem' in the real world. :) It doesn't help in legitimate law enforcement, but it causes trouble to network operators and it deprives law-abiding citizens of their privacy. And criminals don't face "the key-management problem". In any GAK scheme, the official keys can be used to certify other un-escrowed encryption keys. Binding cryptography makes it just a little easier, because there is no need to create any "illegal" key pairs. Everyone can encrypt messages using the government-certified ElGamal keys, and then repeat that process, this time including the data required for goverment access. that use of other systems will always be possible. Also, the above discussions already showed that if such a system is voluntary, then there are lots of way to go around it. Criminals will always find ways around these systems -- even if they are mandatory. Just those who actually "have nothing to fear", will not go in the risk to use illegal encryption. So governments can wiretap law-abiding citizens, but not criminals. What useful is a system like that? -- one ring to rule them all, one ring to find them one ring to bring them all and in the darkness bind them in the land of mordor where the shadows lie.