Stephen writes: > Does my signature on this message make you trust > it more than, say, the ten ads you got this morning > for Viagra? Your signature tells me nothing, its what I kinow about your private key that is significant. If there is someone I trust that signs a statement that says that they have authenticated the business address of the preson sending the message I can have a certain level of confidence that it is not spam. The vast majority of the spams sent are out and out frauds. These people do not want to leave behind contact addresses. If there is someone who in addition says that they have audited the sender or obtained some sort of anti-spam bond from them then the level of confidence may be higher. It there is someone who states that the private key corresponding to the public key in question is embedded in secure hardware that enforces a particular signing policy then you can have a higher degree of confidence still (note, this is not a standards suggestion, certain implementations of that concept are covered by pending patent claims). PKI is a tried, tested and deployed solution at this stage. It works really well at the enterprise level and there is a whole industry based on it. Don't confuse the fact that PGP or webs of trust or whatever fail to solve a problem with what PKI can and has achieved. There is a reason that infrastructure is necessary. Phill