Many of the interesting cases can be addressed by some mixture of
extreme key fragmentation with escrow fragmented across a set
of organizations that are both unable and unlikely to collude, but
would co-operate with an appropriate third party if presented with
the appropriate justification.
That's theory that could reasonably sound appealing. Are there
real-world examples of a model like this showing the desired properties
that balance safety and utility?
Also scalability. In the Apple iMessage system, every user has a
separate key pair and only sends the public key to the Apple
directory. How do you fragment and escrow all umpteen million of
the private keys?
A system in which Apple held a master key would be a major redesign
and a major step backwards. Even a system where a key, once
disclosed, allowed access to all future traffic with that key would
not be desirable.
R's,
John