FWIW, it seems that a hole has been discovered in PGP 2.6.1, 2.7, 2.6, 2.3a, and most likely earlier versions as well. Apparently, it is possible to insert cleartext within a signed message and still receive a good sig message upon verification. Interested parties are referred to alt.security. pgp for a rather lengthy thread on this subject. I haven't seen anything on the cp list yet and thought those who don't read news regularly might find this information to be useful. I can forward the entire thread via email upon request. =D.C. Williams <dcwill@ee.unr.edu>