I spoke briefly with Phil Zimmermann about the ViaCrypt deal this afternoon. He explained, as I understood it, that the company was contractually obligated to use their own version of the RSA library. This code is apparently proprietary and so the source is not currently planned to be released. Phil indicated, though, that he will discuss this issue with ViaCrypt, and hopefully some solution can be found which will satisfy users. It was not clear to me whether the random-number code from PGP would be retained. I suspect that it will be, though, which would mean that if you started with identical randseed.bin files, and RSA-encrypted identical files, that the two programs should produce identical output. PGP uses the contents of this file to initialize its random number generator. (PGP does put some random data at the beginning of the plaintext before encryption, as was described; this is to make cryptanalysis harder, since the first few bytes of the plaintext will not be known. Again, this random data is based on the contents of the randseed.bin file.) To address a few other points that were made: Phil reiterated his strong committment to keep the freeware version of PGP at least as up-to-date as the commercial version. This is not a case where the freeware version will be left to languish. In fact, Phil expects the commercial version to be based on the freeware version, with advances occuring first in the freeware code. As to whether individuals will pay $100 or more for a legal version, that remains to be seen. In some ways the same question can be asked about many commercial packages, for which pirated versions are available for free from friends or user groups. Yet still some people pay for software because they feel better using a legal version. People who feel this way would perhaps also prefer a legal version of PGP. Hal Finney hfinney@shell.portal.com