And if it is stored client-side, what happens when the user inevitably loses their key? You and I might have backups in multiple places, and on an encrypted USB stick in a bank vault, but my dad doesn't, and the next time he spills wine on his laptop, there goes literally all of his e-mail.
Issue the user two smartcards, one for daily use, one that can be used to create a new daily use smartcard. Tell the user to keep the backup smartcard in a safe place.
Yes, someone will inevitably lose both. You just need to ensure that that is a rare event, and that there are alternative systems in place (i.e. that losing access to one system does not prevent people from living their lives).
I'm familiar. There's a big difference between "optional key escrow with a service I have chosen to trust" and "mandatory key escrow" though. Most importantly with regard to the ease of mass surveillance.
This is the real reason why cryptography hasn't caught on. It's opt-in by nature - No matter how hard you try, you can't send someone an encrypted message if they don't have a public key for you to use.
Actually, yes you can. Check out identity-based encryption and Voltage Security. It's currently in use by Wells Fargo, ADP, and other large enterprise customers.
The catch there is that IBE requires a centralized, trusted key-issuing service where you need to enroll to receive your message. If that's compromised, then game over.
Of course, you would need to be judicious about which group of key issuers you are willing to trust, but this method will at least reduce the risk. The other nice thing about this is that even if some key issuing service is compromised, the sender can force the receiver to switch services (compare to the TLS model, where dropping a CA is basically a coordination game problem).
