Re use fo CD ROMs for OTPs. That would seem to be a variation on the old theme of the book cipher, which is *not* random and therefore *not* secure. Also, agreeing on key procedures over the *phone* in *clear voice* is kind of like sex without a condom. Not secure. Not safe. Potentially deadly. While we're on the subject of link encryption, the same response pertains to the suggestion made by someone from SJG here (whose name I ought to know but my memory for names has more holes than Bush's economic plan) about key distribution and transmission of cleartext over phone lines. It *doesn't matter* if it's encrypted at the BBS server, if it goes in clear over the phone. Keyword in context recognition is no problem when dealing with ASCII. Various agencies (you know who) have raised this to a fine art. The telephone line is precisely the link in the chain which is weakest and needs most to be protected. If the nasty-wasties break down your door and go for your hard drive, it's already too late. Like worrying about a condom after the fact. Now as a matter of record, it's been demonstrated that a processor emits electromagnetic radiation back over the phone lines as well as electrical power lines, which can be picked up at a distance. So consider for a moment that there is a BBS serving dissidents, who Big Brother wants to monitor. Seeing all the encrypted traffic, they install a device on the phone line and the AC to pick up what the mircoprocessor is doing. And they see it doing crypto, and they see the cleartext which is recovered, and get the keys, and the whole damn thing may as well be transparent. So for BBSs and such, I would argue that it's necessary to have electromechanical relays to isolate the computer from the phone lines when encrypting or decrypting; ideally isolate it from the AC as well (using an uninterruptable power supply, which will run the computer on batteries for some period of time, say 45 minutes). So you have a great big red toggle switch next to the computer, and for some period during the day when doing all the crypto processing, throw the switch to the Safe position to get it off the phones and AC lines. This might make BBS use a little less convenient (in that email becomes available the day after it was posted), but at least it's not literally leaking everyone's secrets into the airwaves. This general area is part of a larger topic called TEMPEST. Anyone else interested in pursuing this angle...? -gg