Bob Stratton suggests we hash out ideas on key signing prorocols. Ok, here is what I do: I sign keys only when I am certian that the key belongs to the human who claims to have the name on the key. There are not a lot of keys signed by me floating arround, maybe six total. My sig does not mean that the key is not owned by a cop or NSA/CIA/KGB agent (Unlike Edgar's service) because I can't tell. So if you care about that stuff, start your own web of trust with "higher" standards. My sign doesn't mean that the person is really who they claim to be, I can't tell that either. I've signed the key of a guy claiming to be "Ray Kaplan" because I believe that he uses that name reegularly. But I don't know that his name isn't really Boris Badinov. You won't find my sig on Phil Zimmermann's key, even tho that is a popular activity. Phil is a Net/Ether person to me. My sig means that there is a real person with that name. I was at NCSC and exchanged keys there. I'll be at CFP-3 and exchange keys there too. And if you are in my area, (suburban Wash DC) we can meet and exchange keys. I see no reason to hurry. A slowly growing web of trust that is strong is far more useful than an exploding web of trash. Pat Pat Farrell, Grad Student pfarrell@cs.gmu.edu Department of Computer Science, George Mason University, Fairfax, VA PGP key available via finger or request #include standard.disclaimer Write PKP. Offer money for a personal use license for RSA.