[Note-- I am not subscribed to ietf-open-pgp at this time. My apologies if this submission from a non-subscriber is unwanted. I will be brief. --Zooko] Adam, I applaud your effort to steer discourse toward productive work re: GAK, CMR, CDR. I haven't thought about your idea enough to have a definite opinion, but at first blush it seems a promising strategy to design high-security and forward-secrecy for communication but recovery/sharing features for stored data. I wonder if it is too much early-days to start talking about advanced protocols e.g. secret-splitting in IETF-Open-PGP? Probably so. Better just punch out a standard with current tech... Hm. What about the idea of storing your data remotely (for cost-efficiency, safety, etc.) using encryption to maintain your privacy? In that case, the distinction between comms and storage keys is blurred. A company may choose to e.g. store all long-term data at Zooko's Backup Server, encrypted in such a way that some combination of corporate keys (controlled by individual employees and/or departments) is necessary to decrypt each package of data. This would open the door, as you fear, for a government to mandate that _its_ key be added to each set, with authority to open any package even without the cooperation of any corporate keys. I'm not sure how to weigh the relative risks and benefits. I (ever so humbly) think that Zooko's Backup Server would be a great value for businesses, and that part of that value would be the ability to make data unlockable by various keys, both for administrative/internal security purposes and for robustness against accidents and saboteurs. Zooko's Backup Server can be physically located in a country free of such intrusive organizations, but of course it is the intrusive organizations of the _client's_ country that become important with that kind of protocol... Regards, Zooko P.S. There is already a company whose name I have forgotten that offers hard-drive backups over TCP/IP. They use some encryption but I don't know how strong.