I've been on the road since the RSA conference where the Notes crypto hack was announced. Sorry to have missed the fun. To answer at least some of the speculation on "how does it work", attached is a "Lotus Backgrounder" document that was distributed at the RSA conference. Some of the speculation in this group has had uncanny accuracy. I'd also like to defend the Notes R4 approach. I hate export controls more than most people, in part because I waste a lot of my time trying to figure out how best to deal with them. While I think Notes is doing the right thing given the current constraints, I can't help but be appalled by the current constraints. I don't believe 40-bit crypto is a joke. Even if it costs NSA $.25 to break a 40-bit RC4 key, and I'd speculate it costs them more than that, it means they can't afford to do keyword searches on every encrypted message they can afford to intercept (or at least they couldn't if everyone took the trouble to encrypt). And with a separate 40 bit key on each of your mail messages, an attacker may be able to break a few if he knows they are the good ones, but it's painful to browse. That said, I would not expect anyone to get much comfort from 40 bit crypto. The Notes R4 approach gives the best of two fairly unpleasant worlds. You can export crypto if you either limit yourself to 40 bits (which means anyone can see it if they want it badly enough) or give the government the keys (through escrow - which means the government and anyone else who can "break" the escrow mechanism can see your stuff with no work at all). Notes R4 gives the government part of the key, so they still have some work to do and other attackers have a lot of work to do. This is not a good solution. It's not even an acceptable solution. But it is a better solution than 40 bit crypto. And it's enough better that I think it was worth the hassle it took to get it. Notes R4 didn't give up anything to get this. It is expensive to have the technical complexity of two different interoperable versions of the product, and we could have said... gee, this is really good enough for everybody... why don't we just sell the "International Edition" everywhere? We didn't. The "North American Edition" (euphemistically named to reflect that it's also legal in Canada) still uses real strong crypto. The only valid criticism I've heard of the approach is by making the best of a bad situation, we've reduced the incentive for fundamental reform. That may be true, but once an approach is known (and we aren't the only ones to have thought of it - Adi Shamir's Partial Key Escrow proposal has similar properties), declining to use it does not fuel the pleas for legislative relief. In fact, it supports the argument that people don't even implement the strongest crypto they are allowed... why should they be allowed more? I think it is incumbent on all of us to do the best we can, for the brave to break the law and risk going to jail, for the wimpy to squeeze every last bit out of the allowed options, and for everyone to mouth off in risk-free forums like this one