While I think that a variety of robust and successful products will proably emerge that support various types of key recovery, I strongly agree with Tim on engineering grounds: Keep It Simple, Stupid. When it comes to deciding on the contents of a standard, let's keep in mind that we're working with a relatively new technology. We'll make more progress by standardizing proven concepts, and these integrated key recovery hacks don't have the operating history that vanilla PGP has. If anything, my experience with Guard keying suggests that the proposed mechansims aren't enough. The problem has more hair than our sheepdog. I don't think the protocol standard needs to take a political statement about key recovery mechanisms, but it *must* outline the protocol's traditional security objectives pretty much the way Tim outlined them. That sets the context for a robust protocol that has a successful history. Now I need to shut off my mailer and go pack my suitcase. Rick. smith@securecomputing.com Secure Computing Corporation "Internet Cryptography" now in bookstores http://www.visi.com/crypto/