Good hard critique, Eric! Now if I might try to salvage my position... "One time pads are very (much more) expensive on a per-link basis than public key systems..." Yes, of course. However I don't envision OTPs as a standard for bulk encryption on large networks. Rather, for person-to-person communication in small networks. Examples: a group of civil rights attorneys suing the Federal govt., an international environmental organisation's main offices in the capital cities of a small number of countries, etc. Cases where the adversary is one or more powerful governments, and the number of links required is relatively small. Given the nature of the relationships between these kinds of networks and their adversaries, the expense would seem to be justified; in any case, the **incremental** cost of for instance a set of 30MB cartridges as compared to a few floppy discs, is an minor fraction of the cost of the airline tickets and other expenses for trusted couriers. (oops: "a minor fraction...") Your discussion of bandwidth can be met with a similar counter-arguement. First of all, I would reject the use of UPS or (God help us) the *Post Office* as a courier, particularly where one or more governments may be the adversaries against whom protection is needed. So your reference to those carriers is not relevant to the main point of my case. I'm assuming that key materials are transported by trusted courier and are guarded by same until they reach their intended recipient. Okay, that *really* drives up the cost, doesn't it...? Not if the key materials "hitch hike" on an existing travel plan: attorney A flies out to city B to visit attorney B... and happens to carry key material onboard in his/her shoulder bag. No added cost except for the storage devices, and that is not significant. Re mathematical breakthroughs in factoring etc, you say, "we don't know when that will happen, and we don't know which will happen." Exactly my point. *We* don't know. But the NSA and so on, most certainly do know, and they won't be telling. If the breakthrough comes, then the period between that point and the point when it is publicised, will be one of false security. Was it Kahn who said nothing is more dangerous than a bad cipher? My point here comes down to nothing more or less than the principle of caution in the face of an unknown. (Discussion of relative cost of brute force solutions, and the question of hard problems and scale.) I agree that my intuition about these things may be highly flawed. However this doesn't invalidate my point about the possibility of basic breakthroughs happening behind closed doors. Now in a way I'll admit that my arguement here sort of comes down to a black box. However, again I would assert that there are cases where the almost irrational caution is worthwhile. You say in concluding, "Perfect security is not worth the cost in time, effort, or dollars when the marginal cost of perfection is less (do you mean more?) than perfection." You cite examples of international banking systems. I would cite examples of political movements which have been sabotaged and destroyed by government covert action. One need not look far to run into COINTELPRO and the more recent French govt action of blowing up a Greenpeace vessel. Where your adversaries are the intelligence agencies of world powers, and where lives are at stake, I would say the cost of perfect security is justified. Now of course, the French terrorist bombing, the destruction of Black nationalist and student organising groups in the US, and other examples, may not (probably would not) have been prevented altogether by adoption of perfect communications security. Che Guevara after all used OTPs, and it was radio direction finding and traffic analysis (rather than cryptanalysis) which ultimately led to his murder by US-backed mercenaries. If we are promoting a tendency which is inherently political, it implicitly recognises governments as its adversaries. Our choices of cryptographic systems should reflect a wide range of applications and not exclude some a-priori on grounds of cost or convenience. -George (gg@well.sf.ca.us)