1) On the question of MD4, it has been demonstrated that one can generate multiple documents with the same hash -- an example was given in a paper a while back of two contracts, identical but for the dollar sum agreed two, with identical MD4 hashes. That demonstrates that MD4 is useless. 2) Hans Dobbertin on May 2nd released a short paper that circulated widely on the net describing collisions in the MD5 compression function. Several people have asked me for references on this. I cannot give you anything -- all I have is postscript of the document, which had not been published in any journal when I last checked. However, the result is widely known. MD5 is *not* something that should be trusted going forward, and I hope the next version of PGP uses SHA-1. Perry