[I originally posted this to the c2.net crypto list but apparently it never appeared, I've reposted it here in case anyone finds it useful]

The report also notes a new (to me, anyway) method of bypassing GAK while maintaining full compliance with the law:

"Users could encrypt a relatively large number of session keys in a way that the previous key encrypts the next one, always using one or several official escrow/recovery systems. Only the last key would be used to encrypt the message.

There's another way to foil GAK which I don't think has been mentioned before, using what is often referred to as "malicious obedience" in the military (or "you asked for it, you got it" elsewhere): Since I don't trust any cryptosystem based on mathematical principles, I encrypt all my communications using a one-time pad communicated on CDROM (700+MB if you push it). To limit the exposure of each pad, I change it once a month at a cost of ~$1 per CDR blank. If I communicate with around 100 people that's 100 x 12 x 700+MB or (rounding things up a bit) a terabyte of keying material a year. Since they use their own pads to communicate back to me, anyone wanting to intercept a years worth of traffic to/from me would need to archive 100 terabytes of keying material (I'd make sure I spread out the bits of pad I used so they couldn't just keep the useful bits and discard the rest). In any case since this will only be used for court-authorised intercepts (just keep repeating that until you believe it), everything would have to be archived without any changes so it could be used as evidence. At a cost of $100/month in CDR's this should comply with any GAK law (instant access to keys, etc), but will also do a reasonable job of overwhelming any centralised repository charged with storing the data. Of course since I don't trust the government any more than I trust those nasty cryptosystems based on mathematical principles, I'd use triple DES underneath the OTP just to be sure. Peter.