Recognizing that DES is not the best thing out there, but that it is better than RC40 and life is a series of cost/benefit tradeoffs and that there is a large installed base to interoperate with, I'd like your opinions on the following: 1) Suppose you are approached by a corporate client who believes that they can get export permission for DES (but nothing stronger, i.e. no 3DES). What kind of real-world, non-banking, applications is DES just too weak for today? In answering keep in mind that most US corporate clients are not too worried about the US government reading their email. Some do worry about foreign governments and many worry about competitors. [I've limited this to "non-banking" because banks seem to be gearing up for 3DES.] 2) How long before DES becomes generally unsuitable for (A) corporate (B) personal use [please keep the threat model on which this question is based in mind -- threats *other than* the US government wiretapping you]? 3) Do you have a view as to whether DES (A) will and (B) should be recertified next time the issue arises? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.