A few comments on GUCAPI postings follow. 1. It has been suggested that GSS-API is appropriate for layering over PGP security functions, but this is incorrect, as GSS-API is inappropriate for store-and-forward applications (and associated security mechanisms), and hence isn't suitable for all applications which have security requirements. 2. The application level interfaces for messaging applications must include object protection semantics. One proposal being considered for this is available by ftp as draft-ietf-cat-iop-gss-00.txt from ds.internic.net in /internet-drafts. There is a BOF on this today at the IETF which other CP IETF correspondent(s) may want to report on. 3. A distinction can and should be made between the higher level interfaces which combine information protection and authentication, and the lower level interfaces to cryptographic transforms and key exchanges which aren't bundled with any trust model or certification infrastructure. 4. The lower level cryptographic interfaces (CAPIs) are the subject of numerous proposals. A few of these were listed in the note I sent to the list yesterday about the recent NIST meeting. One proposal being developed by major vendors (IBM, HP, Sun etc) and to be trialled in practical implementations is available from X/Open, together with an associated email discussion list. Mail me if you want to be part of the review process, or just track developments in this area. (This is intended to be a net standard and an industry standard :-). - pvm