The Clipper key generation is almost too bizarre to contemplate. In the recent Denning article we still have the fantastically implausible (or at least unimaginable) indication that it is all done on a `laptop computer'. She left out the indication that it is destroyed. Only one implausibility at a time. Anyway, there are various aspects that don't entirely make sense, or seem to indicate some kind of ulterior design constraints. I would like to hear speculation on what the design constraints were. In particular, they could just let the key generator site create random keys. But then there would be accusations that they are encoding secret information or something, and the appearance is too much like `we will know all the keys' irrespective of key escrow agencies. So we have this picture of the two escrow agencies entering in information into the initial system that determines the final unit key, two 80 bit values. This means the escrow agencies could theoretically combine keys and reproduce the entire process to recompute the unit key and prove that the key generation as described is actually taking place. It also makes it look like the key originates completely from outside sources. But wait! The generation site (read: NSA in capital letters) supplies the `starting serial number'. That is, it is completely at the discretion of the NSA to determine the serial number. Now, given that this should be random and contain no extra information, wouldn't we all feel a bit more comfortable if the key escrow agencies also supplied it, or that it was based on their input? What could be put in the serial number that is useful? There are 64 bits to play with here and the two keys are 160. Denning says that it is `padded' -- almost a Freudian slip. The key generation process is rather interesting. It clearly is not `cryptographically secure' in the sense that it relies on the security of an algorithm for protection against abuse. This makes me think of the following problem, which I wonder how has been explored in the literature: consider it the Clean Key Generation problem. How can a chip be programmed such that no one ever has the complete key all at once? I would like to see the chip go through two stages: in the first stage the first agency plugs in their half of the secret key, in the second stage the second key agency does so, and the ability for either to read the other is impossible. This would guarantee there is no illicit archival. In fact, the centralized key generation in the scheme seems so absolutely preposterous, because it is not `cryptographically secure', it is only `NSA-assured-secure' (hey, a new category of communications security!) What is the assurance that the facility is `safe'? Alternatively, it would be very useful to devise some cryptographic or technological scheme whereby a chip could be programmed at a centralized location based on the input from multiple escrow agencies, but the complete key is never available to the programmers. Seems like a real catch-22, but then again so is public key cryptography (need to ruminate on this one some more). of course, these are all just theoretical ramblings and not to be taken in any way of endorsement of key escrow...