PGP inherently provides master-key service, which can be used for escrow. On a normal PGP message, there's a session key which the sender knows, and a copy of the session key is provided to the recipient, who can open it on the condition that he has the genuine private key. That's fairly close to _real_ escrow - it's certainly closer than Clipper's Master-Key stuff. (And it has a lot more masters :-) If PGP message-senders want to do so, they can use multiple recipients on a given message, so the key is accessible to a third party trusted by the sender (the legitimate recipient already can give it to trusted parties.) (Typically a sender might use encrypt-to-self to retain the key for later use.) An amusing feature to add to PGP (using the 3.0 toolkits when available) would be a session-key-splitting feature, which uses Shamir M/N sharing or a simple two-way split and encrypts the splits with different people's public keys, so that you could give them to semi-trusted parties. Of course, the Clintonites' proposal of "Well let you use slightly less wimpy encryption in return for GAK" is really offensive - if they've got GAK, it doesn't matter if they keys are 64000 bits long, since they'll have them. Smokescreen. On the other hand, master GAK keys don't fit well into a Web of Trust - you'd essentially have to require that people only send mail to keys that are signed by an escrow service, and people wouldn't always do that if they had a choice - to enforce GAK, you either need to limit the sender's encryption software (unrealistic) or the recipient's decryption software (unrealistic), probably by requiring exportable products to use a specific hierarchical key-service. #--- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #--- "The fat man rocks out Hinges fall off Heaven's door "Come on in," says Bill" Wavy Gravy's haiku for Jerry