This is along the lines of a technical monkey-wrenching of GAK: 1) The state of email encryption If the NSA decides they would like to get a decrypt of an email that you sent, they turn up with a copy of the encrypted email and request that you decrypt it. The reason that this is so bad is that you have effectively secret shared your plaintext between the NSA (who has archived all of your encrypted email), and yourself who still has they key. This is not in your interests. 2) Mandatory GAK In a future with mandatory GAK, the NSA has all your keys already, because they have a nice database of them, and so they can decrypt any thing they feel like. 3) Monkey-wrenching Even with GAK, where you are forced to give the government the keys, you can do much to make the job of administering GAK very expensive. You start by ensuring that the government can not get your encrypted data (the other half of the secret share), so that the key is of no use :-) You can do this by using a forward secret protocol such as Diffie-Hellman to exchange data, then you can't provide the encrypted text to the NSA even if you want to. But won't they make forward secret protocols illegal at the same time as enforcing GAK? Well, maybe they've left it too late already, consider: IP security layers in general - they provides an extra layer of encryption that the NSA has to obtain the keys for to make sense of their tap. They may have to archive impossible amounts of IP traffic if they can't recognize the type of IP traffic through the IP level encryption (www traffic has its uses as cover traffic :-) IP security layers which use Diffie-Hellman: forward secrecy means that the site owners can't decrypt old IP traffic even if they want to. When using an IP security layer, email delivered via SMTP will be transparently sent over an encrypted link with a random symmetric encryption key negotiated with DH. So the NSA can't get your encrypted email so the fact that they have the decryption key doesn't help them. Even if the NSA had access to the signatory keys used to authenticate DH key negotiation, this means that they still have to do an active MITM attack on the link. This is not something they can do after the fact. Bang goes the ability to archive it all and present it to people afterwards for decryption. Also the expense and complexity of fishing expeditions become impractical. To do a successful MITM attack, the NSA must also subvert the authentication key infrastructure, and hope that no one uses a subliminal, or out-of-band channel to verify the authentication. The above arguments, depending on how quickly things like John Gilmore's S/WAN are deployed, will quickly reduce the Governments options to: attempting to revoke de facto international standard internet protocols after the fact requesting the authentication keys used to sign DH negotiations, so that they can do MITM attacks, and get an IP packet modification infrastructure built (something significantly harder, and more expensive than the digital telephony bill which is still floundering at an estimated $4Bn) So, to monkey wrench GAK, be an early adopter of IP link level security, make sure that everybody is using link level security with forward secrecy, long before Clipper IV gets forced into use as a voluntary, or possibly later mandatory scheme. Adam -- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)