There were a number of flaws in that paper, but perhaps the most glaring to me is that there are actually 3 classes of key: the two you mentioned: communications key storage key and signature key Of these, you want key recovery *only* for storage keys. You want to make sure no one can get to your signature key. Even the IWG paper notes that. But the only use for a PKI of any form is for a signature key. Once you have your identity established somehow for a signature key, you can generate and sign comm or storage keys at will. Furthermore, if you lose a signature key, there's no big loss. You generate a new one and get a new cert for it. So there's *NEVER* a reason for key recovery for a signature key -- the only keys for which there is a need for a PKI. I find myself wondering. Did some very clever crypto-theoretician plant this idea in their heads (sig key database giving GAK) knowing that the structure had termites? I first heard this from Micali...and here I always thought he was on their side. I may have misjudged the man. :) - Carl +------------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2| | "Officer, officer, arrest that man! He's whistling a dirty song." | +-------------------------------------------- Jean Ellison (aka Mother) -+