[ggm]

I don't want this scheme. I don't want key escrow. But, a critique in the document is a 'if lost, lost forever' moment. If the escrow DB is compromised, the article says all phone are now pwned. For that point in time, true.

But phones are online devices. why does the escrow key have to be a constant, which if the central store is compromised means all phones prior to that date are compromised forever?

eg, re=spin the per-phone keygen on some cycle, and you define a window of risk, but it passes. re-spin clearly has to pass through some protocol, but we've been doing ephemeral re-key forever with websites.