I was actually working on a message saying something similar, under the working title of "Trusted First Parties". The idea is to generate a separate key pair to be used for recovery purposes, and then place the private key in a trusted, off-line location (much easier to arrange than if the key is to be kept on-line). The key should probably be encrypted using a symmetric algorithm keyed of a pass phrase, but since the pass phrase will only ever be used once, it's the kind of thing that might end up being forgotten, especially in those 'what's that tree doing in the middle of my machine room?' key recovery moments. Because the TFP key is protected other keys, the key length should be such as to give a work factor equal or greater than that needed to force the keys that will be protected by it. TFP can be used to weaken forward secrecy by encrypting the ephemeral session key under the TFP key and sending it with the message stream. You don't have real forward secrecy, because if the TFP key is cracked,all prior session keys will be exposed; however this setup is still somewhat better than straight RSA key exchanges using your regular key, as the private TFP key is less exposed. Simon --- Huge taxi cabs now! Huge spelling cuts now! Balance the budgie now!