[acqq]

> If you use those curves, then you're revealing your secrets to the NSA but not to anyone else.

...until some worker or contractor takes their "secret" values for himself, or sells them, or publishes them on the internet. Producing the public standards with the built-in master keys increases possibility of overnight global breakage.

[elliotz]

The public standard shouldn't include the secret values, but rather identify the (verifiable) process for generating the public values, in order to assure people that they were not created from secret values.

See: https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number

(Or, of course, you could just not publish RNG standards based on public-key crypto ;-)

[acqq]

> The public standard shouldn't include the secret values

It seems there's enough evidence that NSA inserted the secret values in one standard already:

http://en.wikipedia.org/wiki/Dual_EC_DRBG