Another proprietary key format. Why not base such a system on OpenPGP?

Hmm. AES-256 with SHA-256? Children, what's wrong with the balance in this system?

How does a user verify authenticity of another user's public key?

Aside from being incompatible with anything else on the net, how is this different or more secure than Hushmail? Than Cryptomail.org?

The AES-256 is used independently from SHA-256 and for a different purpose. One is used for encryption, the other for hashing. If you’d like to match crypto level provided by the hash, you would have to apply something like SHA-512, but that is irrelevant. SHA-256 is a convenient way of hashing passphrases into 256-bit symmetric key-material used to initialize key vectors in the AES. I would suggest you should look into the source code (available from the <a href="http://www.cryptoheaven.com">CryptoHeaven</a> web site) before making such trivial but misleading comments. Also, proprietary key format is not such a bad idea as long as the source is open for review. OpenPGP standard involves much more than simple RSA key, and any software using it is prone to the possible errors that may come with it. Making a simpler key format with only the very things that are necessary make it easier to maintain and it is easier to verify correctness of implementation. So what about Hushmail you ask. For one, CryptoHeaven does not require you to send your encrypted private key to the server making CryptoHeaven a much more secure solution. Furthermore, CryptoHeaven includes things like secure multi party folder sharing and multi user discussions which are not available in other systems. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp