peter.allan@aeat.co.uk (Peter M Allan) wrote: [skip] I suspect the scheme is incomplete anyway. After skimming the web page I see that the aim is to show the same session key has been encrypted under different ElGamal pubkeys. Now who's to say those pubkeys belong to anyone ? Or is this what is meant by "such as Margaret's identity" ? You'd list the ids of the TRPs and also prove that the pubkeys used were theirs .... ?

One can imagine that included in the certified key of a TRP is a statement like "PKI-ROLE = Trusted Retrieval Party". As it is certified by a higher order (e.g. a root of the PKI) it can be verified. Eric