I found a source explaining how things stood in the US about 1996. Data Security Tutorial by MaeDae Enterprises (they explicitly give permission to reproduce it).
I believe things have changed substantially since then but even then it was a joke as everybody and his brother around the world were using PGP and other systems.
A 1994 article How to Keep It A Secret mentions CLIPPER AND SKIPJACK
In the same page you can find a link to a very extensive discussion of the Clipper/Skipjack issues with NSA.
To calm things between sailor and Urban Ranger lets just call it the ‘secret key’. 
If a public key scheme was used then it will be your private key they are after, if it was a symetric cipher (DES or IDEA) then it will be that key.
I agree that quantum cryptography only guarantees a secure transmission channel. It is provable that any attempt to evesdrop on such a channel is instantly detectable by the parties doing the communication.
We’ve had a perfectly (as in mathematically perfect) secure cryptosystem for years, it’s known as a one time pad. It’s just the extremely difficult problem of key distribution that makes it impractical.
I was just being pedantic
The pads are the key (sorry for the unintended pun). AFAIK only spies use one-time pad.
This is getting pretty far OT, but I must take issue. A one time pad is a provably secure algorithm; it is not a system. There is no such thing as a provably secure implementation because the “system” must include key exchange/storage, which is a very different problem and one which makes OTPs impractical for almost every potential use.
Unfortunately, that’s not true. There are several of commercial products which pretend to have “unbreakable” encryption which are actually poorly implemented one time pad schemes. Peruse Bruce Schneier’s snake oil section in his Cryptogram newsletters for details.
http://www.counterpane.com/crypto-gram.html
There’s certainly some confusion, but the possibility of a provably-secure public channel is a pretty big thing in cryptography. The current methods of quantum cryptography (variations on the “BB84” scheme, proposed by Bennett and Brassard in 1984) are indeed methods for secure “key distribution”: that is, methods by which two people can use publically-accessible channels to share a provably private key. (There are caveats. In particular, like all communication schemes it’s vulnerable to a man-in-the-middle attack.)
But key distribution is an important topic in cryptography, so saying it’s a “completely different” thing is not correct. (For example, RSA is clearly an important cryptographic algorithm, but it’s only used in PGP for secure distribution of a key to a second, faster algorithm (like IDEA).) I guess you could criticize such a statement for imprecision, but I don’t think you could claim that it’s wrong. If secure key distribution is possible then lots of cryptographic protocols can easily be implemented on top of that (for example, the one-time pad, for which the biggest current difficulty is key distribution). Since transmission of the information is often when it is most vulnerable to interception, making this channel secure would improve the overall security of a cryptosystem by quite a bit.
(Off the subject slightly, the other half of the field, advanced quantum algorithms for cryptology, also has some nontrivial advances. A working quantum computer would break PGP (and other schemes based on the assumed difficulty of integer factoring or computing discrete logarithms) and make even brute-force searches of other cryptosystems’ keyspaces quite a bit faster. I’m not sure how important this is. Once these weaknesses become known, people will presumably change to less-vulnerable algorithms. On the other hand, if the NSA has saved lots of encrypted messages with possible long-term relevance, they can now have another crack at them with their new methods.)
The only possible scenario I can think of that can use to break one-time pad messages this way is quite implausible. You have to somehow get a copy of a pad, and you have to intercept the messages that use the exact same pad to encipher. Even when these conditions are met, it is far from easy. You need to find out where each message starts and stops on the pad.
>> But key distribution is an important topic in cryptography, so saying it’s a “completely different” thing is not correct
Money is important to my eating but money is not food. Encryption and transmission are both important aspects of communication but one is not the other. They are completely different fields. Encryption is hiding information, whether you send it or keep it where you are, Transmission is sending information from point A to point B, whether the information is encrypted or not. Different things. A secure transmission channel does not equal data encryption in any way. It may make encryption unnecessary, but that does not mean it is the same thing.
Five centuries ago if I wanted to go to my cousin’s place to find out if the newborn was a boy or a girl, I would ride a horse to get me there and get the answer. After we both got telephones I merely called him and got the answer. The telephone may have obviated the need for the horse but the telephone is not a horse. At least I believe I can tell them apart. The same as I can tell the difference between data encryption and data transmission. The horse and the telephone were both useful in helping get information. Secure cryptography and secure transmission channels are both useful in keeping information secure. But one is not the other.