Well, we've pretty throughly convinced ourselves that Denning's scheme can be spoofed (I'm convinced, anyway.) It's actually worse than useless - it's a substantial security breach. To spoof being at a location, Mallory needs to know the location he is trying to spoof. With S/A off (as I understand it is now), he need to know the location within a couple meters, in three dimensions. Such precise location data is usually difficult to obtain, without actually visiting the site and recording the location using GPS. Mallory might be able to work out, for example, the location of the desk in the Oval office to that precision by triangulation (though setting up theodolites on Massachusetts Avenue may attract some attention :-) However, I defy him to find the location of a specific PC in NSA headquarters, or in a secured communications facility without actually visiting the desk carrying a GPS receiver (which he won't be allowed to do, unless he's got a damn good reason). However, since the protocol requires that Alice send out location data, once she starts using it she reveals her physical location to Eve, Mallory, and anyone ese who can see the packets. Since the nature of the protocol is that Alice's location does not change frequently (and needs to transmitted via a trusted channel to Bob when it does), after the first usage Mallory *knows* the physical location he is trying to simulate, and can use this information for future spoofing. The upshot of this is that Denning's scheme not only provides no security against spoofing, and leaks potentially sensitive data about locations. If Sadaam Huissain (sp?) had used this scheme during the Gulf War, we'd have been able to send a cruise missile directly to his keyboard. [These flaws in the protocol seem so obvious that I can't help but wonder if we're missing something - Dorothy isn't *that* stupid.] Peter Trei trei@Process.com