While I agree in general, I think I'd rather see effort spent on getting everyone on message security first, and worry about traffic analysis later. My fear is that, having attempted (since it's unlikely we'll ever manage to get 100%) to secure the transport, people will stop worrying about message security, and let that slide. To put it another way, the first order of business is to prevent everyone from reading the mails. We can afford to worry about second order effects like traffic analysis after message security is well under way (say, 50% of all nominally private message traffic is encrypted). Or, put it yet another way: time for everyone to host a PGP key signing party for your friends, neighbors, and co-workers! Erik E. Fair fair@clock.org