Anserwing some comments about my suggestions for key verification. Phil Karn pointed out that the next version of PGP will display an MD-5 hash of any public key for phone comparison purposes. That's great, but that version of PGP isn't here quite yet. I suspect, in any case, that the added security isn't all that great since I suspect it's very hard to find another valid key-pair where the public key matches the last 24 bits plus some fragment of another 20 bits or so from the middle of the key. Phone, as opposed to mailed paper verifications has the following problems: Phil says you have to recognize the voice, which implies you've met him in close quarters, which implies you could have exchanged keys physically anyway. If the only place you've heard the voice is over the phone, that's not a very good criterion. Phone verification is good, IMHO, *only* if the person being verified is *called at a listed number*. You can't verify a person who calls you, (unless you know the voice). You can't verify a person you call at an unlisted number which you got over the net!! Economics: Net participants are scattered over the country and even the world. Paper verification costs about $2-$3 allowing for my fee, copying costs and two-way international postage. Adding notarization adds about $5.00. Phone verification is economical locally (maybe cheaper than mail), but more expensive when long-distance rates apply, especially international rates. Meeting at parties or face-to-face is most expensive of all, unless the meeting happens fortuitously. Overseas plane fare to exchange keys is beyond the means of most of us. Phil says: I would much rather trust a simple verification procedure based on redundancy and close personal relationships than a single, complex, impersonal process involving people I don't know. This is not to impugn your integrity, of course -- I'm simply speaking on principle. No offense taken! I, on the other hand, would rather have in my hand a signed statement of identity with photocopied ID that I can keep and file away. I also don't want to go broke making international phone calls. As it happens, I, so far, have not been able to sign a single key!! I called Phil Zimmerman at a listed number, I read him my key and he signed it, but he was called away from the phone before he could verify his key to me. So I can't sign his! I've met a few people at parties I've given my paper key (fragments) to. So far none of them have signed my key, but none of them had paper key fragments to trade, so I can't sign theirs. George Gleason commented about supplying home addresses. Your comments are well taken. Phil Zimmerman also commented to me in E-mail that some people don't want the serial numbers on their photo ID copied. Everyone please feel free not to supply a home address and to obscure any home address or serial number on the photocopied photo ID. I'll still sign your key, although I'll note what you did in my signed key directory, which I'll send to customers & publish here. If you don't want *me* to know your home address, you can use a P.O. box for me to return my (or other customers') ID certificate(s) to you. On the other hand, as the service provider, MY home address and phone are public info. I also acknowledge George's criticism re the "I'm not a cop" statement. I'm going to leave it in my statement, because it's true, but in general you should be aware that any legal protection is questionable at best. The lack of protection has been verified by a source on Extropians and by an attorney on the RIME network. In the meantime, I guess we can discuss illegal subjects not with "I've done ..." but with "I've heard that ..." or "I used to know somebody who ...". Also anonymous remailers will be a big help. -- edgar@spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Silicon Valley, Ca