-----BEGIN PGP SIGNED MESSAGE----- I may have a clouded view of the technology available here, because I confess to not understanding all of your post- namely, why the "web of trust" necessarily bears here. It feels like DH would probably be the best mechanism for key exchange. When Alice calls Bob, their two Macs can conduct a DH exchange of randomly generated, valid-for-only-one-call session keys and use those to encrypt both ends of the link. The reason behind my original proposal of a system that could use PGP keyrings is thus: let's say that I want to call you. I tell my cryptophone to call "Phil Karn", so it looks up your public key and uses it to encrypt my side's session key, then signs the encrypted version with my public key. Your cryptophone answers, de-signatures the data block to see who's calling, then decodes the encrypted session key using your secret key. If you decide to accept the call, your cryptophone can send me a key by encrypting it with my private key, then signing it with your pubkey. This protocol is obviously not secure against spoofing attacks. It does support anonymous use, though- if the caller doesn't sign the encrypted session key block, you could still accept the call! The big advantage to this scheme in my mind is that it leverages PGP's infrastructure and key distribution. I'm not sure that the web model would be terribly useful; I tend to think of most calls as being either to "indirectly trusted" keys (i.e. I can call Phil Z to ask about how the developers got permission to use IDEA in PGP) or to directly trusted keys (i.e. I can call someone whose key I've personally signed.) The presence of a hardwired telephone number, of course, adds some trustability. TCP/IP traffic can be falsified in ways that POTS traffic can't, and it's very hard to subvert The Phone Company (tm). Even if I don't completely trust your key, if I call Qualcomm's front desk and ask for your work phone #, I can probably trust that. OTOH, as I read someone post the other day, "Everyone you've ever met is working for the CIA. There's absolutely no way to prove differently." :) - -Paul -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLGfGjSA78To+806NAQEunAP+PIddYdBa57YkVGwd9uXfxwDL59LABXfS fTIC8xv7L6QC0r/9az4ToJCFqIF6c2+C5ZeVdCFlQ18mjQ8MApeJkN11gynRu3aX 5qCZOs5Nmyfg2JzS95eWe75UyCwO5GepSt1LNHAA4wi5cyFtBHTULXv2MKHRvWSj YUePz50FDLg= =IqKL -----END PGP SIGNATURE-----