Eric Hughes, replying to somebody, wrote:

As a previous poster mentioned, users could select null or locally controlled key escrow agents, and effectively have a non-escrowed system.

The system I've seen (Whit's recollection of Steve Walker's) did not allow a cooperating party to interoperate with a non-cooperating party. In other words, both correspondents must comply with gov't key surrender, or neither.

It's a little better than that, but not much. There are three sides to the process - writing the wiretap field, verifying the wiretap field, and using the field to wiretap. The receiver can definitely verify the wiretap field, but has a choice about whether to do the verification or accept conversations with an invalid field. If a conformist receiver refuses to accept conversations without a verified wiretap field, the sender has to include it to talk. (This is the opposite of Clipper, where the receiver has no control over the system, but the sender can construct a fake wiretap block with some work.) The sender has a choice of what keymaster agencies to use, but the receiver can choose whether or not those agencies are acceptable. It's easy to turn off software key escrow, but only on your own machines. Unfortunately, the most interesting cases are applications like cellphones, where the sender is the occasionally non-conformist phone user, the receiver is the phone company, and the government can bully the phone company into being conformist about both verifying the block and only accepting politically correct keymasters. For other cases, like encrypting fax machines, they'll probably accept any keymaster, so you can probably use "Dev Null Key Security Inc." (The government *could* get nasty and insist that encrypting fax machines can only be imported if they verify that the keymaster's key is signed by the Key Generation Bureau, but it's a lot harder to control millions of fax machine users than a few hundred phone companies.) Bill