There are some remarkable similarities between pgp5.5 and the hugely unpopular original clipper chip design. Both encrypt the communication key so it can be snooped by third parties thus creating a backdoor. I suspect that part of the reason there has been less outcry over pgp5.5 than for clipper is that people have a high regard for PGP Inc, and allow this to lull their fears -- "if PGP Inc have done it, it can't be evil." This is really insidious, and it is reprehensible for PGP Inc to use their reputation capital to give clipper like systems a positive spin. pgp5.5 is basically a software implementation of clipper: In PGP the backdoor is the second crypto recipient -- the message key encrypted to the CMRK (Corporate Message Recovery Key) as requested by the ARR (Additional Recipient Request); in clipper the backdoor is the LEAF (Law Enforcement Access Field). Both systems make attempts to enforce the presense of this backdoor field: PGP Inc's policy enforcer can be configured to bounce mail not encrypted to the corporate backdoor key; in Clipper it is the checksum included in the LEAF which allows the receiving chip to reject LEAFs which have been tampered with. Both systems are "optional" -- you don't have to use clipper chips, they will be "voluntary" (or so the politicians claim), and governments aren't currently using the backdoor feature of pgp5.5, and PGP Inc argue this won't happen (we'll see how this works out). Both systems can be bypassed in very analogous ways: They can both be bypassed by super encrypting traffic. With pgp5.5 the sender can send garbage in the CMRK encrypted field; with clipper Matt Blaze found you could brute force the checksum and send garbage in the LEAF field. Both systems can be improved to make them harder to bypass, something one suspects may happen if too many people routinely bypass them, and law enforcement views this as a problem (which they surely will if their snooping attempts are foiled -- don't forget Freeh is already on record calling for mandatory key escrow, and outlawing of non-escrowed crypto). Clipper can be made harder to bypass by increasing the size of the checksum. pgp5.5 can be made harder to bypass by using binding cryptography (allows untrusted agents to be deputised as policemen in ensuring the same key is included inside the CMRK field as in the recipients PKE field). It is easy for the government snoop to detect cheating with either system -- they attempt to decrypt the traffic, and find the LEAF/CMRK field is tampered with, or find the contained message is super encrypted. One suspects that an additional 5 year sentence will be given to people who are detected tampering with snoop fields. (This is not far fetched I don't think -- already we have heard proposals for 5 year additional sentencing for "use of encryption in a crime". If non-escrowed encryption is outlawed, surely this is the logical next step on the part of Freeh, and cohorts). PGP Inc cries: "oh but we have to meet corporate user requirements". For corporate disaster recovery of stored data? For corporate message snooping? For either requirement many of us have documented far less dangerous techniques to enable corporate message snooping, and storage recovery. Techniques which aren't likely to be adopted by governments as their snooping architecture. PGP should fix this quickly before the reputational damage is increased by more government statements about the usefulness of pgp5.5. and CMR. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`