I have been doing some thinking about the whole key escrow retrieval matter. There are a couple of situations in which I can see real reasons for doing voluntary key escrow of sensitive material: A. You're afraid of losing the key. B. Your organization is afraid that you'll lose the key or be unavailable. The second can be handled internally via key sharing; if all the people you share the key with have as much to lose by the information getting out as you do, then they should be trustworthy and as hard to subpoena as you are. Encrypting the shared section with another, appropriate key should take care of the cop-stealing problem (i.e., they break into the machine). The first is more of a problem. If where you've entrusted your keys is known, then the cops can come in and strong-arm/subpoena your keys away. Thus, the basic protection mechanism should be denying them that knowledge. (Another protection mechanism is key sharing between key escrow organizations.) In other words, anonymous remailers with stable nyms for the key escrow organizations, together with fully anonymous digital cash. One problem in this is how the organization's reputation originally is established so people will deal with them so they can get a reputation.... etcetera. The basic method of doing so appears to be to post a digital cash bond. (I don't know the mathematics well enough to tell whether one could post verifiable digital cash with it still not being usable without a decryption step. If one can't, that's a real problem... but I suspect that one can.) The encryption on such a bond should be put into the hands of a group of above-ground "judges" via secret sharing, who would be a group of people chosen by the key escrow organization in hopes of their being trusted to resolve any disputes. Of course, digital receipts would be a big help here... -Allen