A technical question about the proposed SKE schemes: are they a proper superset of non-escrowed pgp/ripem type systems
I'm not sure what you mean by superset, but I suspect that however you interpret it, the answer is no.
As a previous poster mentioned, users could select null or locally controlled key escrow agents, and effectively have a non-escrowed system.
The system I've seen (Whit's recollection of Steve Walker's) did not allow a cooperating party to interoperate with a non-cooperating party. In other words, both correspondents must comply with gov't key surrender, or neither.
Matt or Whit can comment better, since they've seen it first hand.
Eric
I just looked over the viewgraphs from the Karlshrue meeting; short of breaking the signature scheme used to certify the "package instance" public escrow key, there doesn;t appear to be any unilaterial action that one party can take to interoperate with a "legal" recipient without escrow. Others have pointed out, however, that you can re-use other people's public escrow keys (that you learned, for example, by communicating with them) to thwart traffic analysis. Of course, traffic analysis is not one of the stated requirements of the system anyway. Also, the TIS proposal involves "software" tamper resistance in the form of code checksums that the verified at run time. This is intended to discourage bi-laterial escrow circumvention. Of course, any software- only scheme can be thwarted, but patches to disable it may be a bit involved, depending on how well obfuscated the code is. -matt