Back in 2000 PGP, a mature and capable company with significant experience in encryption and security, decided that it would be a good idea to provide key escrow for its corporate users.
August 2000: a bug in PGP Corp's corporate key escrow feature makes all keys vulnerable. https://t.co/j9K7XBqdmX pic.twitter.com/waZDnGYsBW
— Matthew Green (@matthew_d_green) March 16, 2016
It did not, of course, end well.
The feature ended up making all PGP keys vulnerable. Here’s a thread describing the bug. If you read through the posts, you’ll see that the problem was that a programmer essentially neglected to check a return value. Also notice how easy the vulnerability is for anyone to exploit. Once again we have confirmation that security is hideously hard to get right.
This was supposed to be a benign feature that Network Associates—owner of PGP—added to assist with key recovery. The result was a devastating, unfixable bug that could only be eliminated by retiring two versions of PGP. What possible reason is there to believe that a government mandated key escrow would do any better?