Tim May writes:

Diffie described in some detail a software-based scheme developed by NIST (and Dorothy Denning, if I recall correctly) that, as I recall the details, avoids public key methods. Perhaps this was also

If it's the same scheme that I'm thinking of (that Dorothy Denning presented at the Karlshrue workshop), it was developed by Stephen Walker and David Balenson of Trusted Information Systems, in cooperation with NIST. It's a cute scheme - it doesn't involve secret hardware or algorithms, but does involve public key cryptography, roughly in place of the clipper unit and family keys. You can thwart the system with cooperation at both ends, but you can't interoperate with legal users; in this sense it's more robust against abuse than the Clipper hardware-based system The basic idea is that each user gets a unique public key from the government, which is used to encrypt the session key. You encrypt the session key with this key and send both it and the certified public key to the reciever, who verifies the signature to confirm that it really was issued by the government. Now the receiver also encrypts the session key and compares the result with what you sent, refusing to operate if they don't match. Of course, two parties can cheat by patching their verification routines. But it's very hard to interoperate with non-rogues. -matt