Matt, You posted some very good questions. The reason why it is "unacceptable" to accept keys electronically is that you may be vulnerable to spoofing. Okay, in reality, you have to realize that attacking cryptographic protocols is a paranoid view of things, and that you may not be attacked, but... if you send your public key to somebody, it could be possible for someone to eavesdrop, grab your key, substitute their own, and send that one along. Then when someone responds to "you", the eavesdropper could read the message, re-encrypt it with the public key they stole, and send it along to you. Then, you don't even know you are the victim of eavesdropping. Anyway, it all boils down to validating the keys you receive. Which makes it tough unless you can meet people face to face. However, the latest version of pgp contains an option which computes the md5 hash of your public key - which allows you to call someone, and read each others hashes, thus completing the verification over the phone. Of course, now you have to worry about receiving their correct phone number... :-) /-----------------------------------\ | Karl L. Barrus | | barrus@tree.egr.uh.edu (NeXTMail) | | elee9sf@menudo.uh.edu | \-----------------------------------/