Could someone kindly tell me about the drawbacks of the Lotus Notes signature / encryption system (export version)?

I guess my first question would be "compared to what?". Compared to the Lotus Notes domestic version, the crypto is weaker in two ways. First, there is a backdoor by which all but 40 bits of each symmetric key is encrypted under a public key whose private half is known to the U.S. government. This encrypted value is included in all messages where the key is passed aroung. Depending on how you feel about breaking 40 bit keys, this means it is somewhere between easy and trivial for the U.S. government to eavesdrop on your communications It also uses 512 bit RSA keys for distribution of encryption keys, which makes it attackable by attackers other than the U.S. government. While no one has ever publicly demonstrated breaking a 512 bit RSA key (last I heard), the workfactor is well understood and it's clearly feasible (and in fact overdue). Compared to exportable versions of S/MIME or SSL, the crypto is considerably stronger. Against attackers other than the U.S. government (and even a paranoid would admit there are other attackers to be concerned about (e.g. the French government)), the workfactor to attack the symmetric keys is 64 bits - a little shakey but not the weakest link in most systems. Further, RSA signature keys are 630 bits, which is better than most exportable systems. Compared to non-exportable (but internationally available) systems, like PGP and strong S/MIME and SSL, the crypto is substantially weaker. Another aspect to consider is the strength of the PKI. Lotus Notes uses an organizationally based PKI, meaning that to a large degree your security depends on the trustworthiness and competence of your system administrator. With PGP, your security is under your own control to a much larger degree. For people who are more security aware than their administrators (as most PGP users are), the PGP PKI offers better security. For people who are less security aware than their administrators (as most Lotus Notes users are), the Lotus Notes PKI offers better security. Finally, a "drawback" that might be relevant to this group is the fact that because the Lotus Notes export version has a key-escrow-like backdoor, using it offers tacit political endorsement for the U.S. government's contention that key escrow is a technically practical compromise between the needs of users for privacy and the "needs" of government to know all the secrets of everyone on the planet. In my mind, this argues strongly in favor of using real strong crypto if that is an option, but using weak crypto as an alternative is offering tacit political endorsement for the even more dangerous contention that weak crypto is good enough. Your mileage may vary. --Charlie Kaufman (charlie_kaufman@iris.com)