The basic idea is that each user gets a unique public key from the government, which is used to encrypt the session key. You encrypt the session key with this key and send both it and the certified public key to the reciever, who verifies the signature to confirm that it really was issued by the government. Now the receiver also encrypts the session key and compares the result with what you sent, refusing to operate if they don't match.
Of course, two parties can cheat by patching their verification routines. But it's very hard to interoperate with non-rogues.
I don't see any defense in this description against using someone else's public key. The feds could still decrypt such messages, but wouldn't know who was talking. At least not from the envelope. This could defeat casual mass traffic analysis by agencies who have the private keys, because they'd have to look inside the messages for identity cues. It could also defeat *all* traffic analysis by parties who don't have the private keys. That would make it preferable to Clipper. Or does the proposed system also have some authentication component? --- Jef