Re: But what about...
The same way he would now.
You encrypt the stream using a session key, but you'd also have to send the session key in the clear (of the encrypted stream), but encrypted using the NSA public key.
ByteCount(AES(SessionKey, NSA-Public)) + RSA(SessionKey,NSA-Public) + AES(PlainText,SessionKey)
That way you can capture the packets, decrypt the session key with the NSA private key, and read the contents of the original message, the two endpoints having already established their shared secret state box and thus being able to decrypt it themselves.
Kinda the same way as multiple recipients works; you encrypt the sole session key with the recipients public keys, one message, multiple people able to unlock it.