I don't quite follow how this would work. If Trent issues a blind signature, then that means (doesn't it?) that he doesn't see what he is signing. So how can he confirm that the message is actually from a member of the group when he doesn't see it?

I should have elaborated a little on this. My idea was that trent should be able to decrypt the message and verify it was meaninful (at least probably so) by some form of frequency analysis, as he would be a computer program this would not be a significant time loss in a system with few users (such as parliament as suggested with the initial problem) if the resulting message didn`t have approximate frequency distributions of letters you would expect in natural langauge or source code or whatever the message would not be published as it is probably an invalid key being used thus decrypting to garbage. A better way to do all this would probably just be to have Bob sign the message then Trent strip the signature before signing it himself but I just dashed this off as a quick response without really thinking it through. A nicer protocol would be one where the key distribution is easier initially (isn`t this always the case ;-)) or even a protocol which isn`t arbitrated, like your reply said Chaum mentions protocols for this. Datacomms Technologies web authoring and data security Paul Bradley, Paul@fatmans.demon.co.uk Paul@crypto.uk.eu.org, Paul@cryptography.uk.eu.org Http://www.cryptography.home.ml.org/ Email for PGP public key, ID: 5BBFAEB1 "Don`t forget to mount a scratch monkey"