There is a little confusion here between RIPEM and PEM. PEM is the "official" Internet standard for Privacy Enhanced Mail. An implementation is in beta test right now, and uses a centralized certificate hierarchy for all keys. Everyone has to have their keys signed by an agency which is authorized by RSADSI (at least according to the Internet drafts I have, which are several months old). Typically, that agency would be your company or your school, because they are in a position to vouch for your identity. There is a provision, though, for pseudonymous keys to be issued, although they would be clearly marked as such. RIPEM is Mark Riordan's public-key program. It is similar to PEM, but does not use the PEM certificates and therefore does not require people to have their keys signed by an agency. It is not really PEM compatible. It does use the RSAREF public-domain encryption package, so it is legal for non- commercial use in the U.S. and Canada. What I suggested was the use of RIPEM since it is available now, is legal, and is free. Note, though, that whether RIPEM or PGP is used, they are only for non- commercial use. A remailer that wanted to charge, such as the ones that Eric Messick is discussing, would probably have to license the technology from PKP directly to be legal. (I'm not sure whether PEM also is limited to non-commercial use.) Hal Finney 74076.1041@compuserve.com