I've look a little at using something similiar to Julf's double-blind system integrated with majordomo along with an encrypted database of addresses. The user would send mail to listname@sitename, and then be matched to a pseudonym and it would be then sent out as pseudonym@sitename to the subscribers of the list. Any mail back to pseudonym@sitename would be directed back to the real person and mail replied back to listname@sitename would be delivered as a pseudonymed name as well. The database that matches the pseudonym to the real person would be encrypted to prevent prying eyes (although it does increase the overhead requred to decrypt the name). I also looked at using a system that did not rely on human input for the keys or passphrases, using a machine-generated randomly garbled key phrase or some such. An administrator could get physical access to the key, but without knowing the phrase they have a job ahead of them. Unfortunately, lack of programming experience and time has forced me to push it way back on the agenda. ____ Robert A. Hayden <=> hayden@vorlon.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> I do not necessarily speak for the \/ Finger for PGP Public Key <=> City of Mankato or Blue Earth County -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)