>Second, many of my colleagues have asked me to remove their old keys from my database, because they >have forgotten them, although the PGP repository has not. FWIW, the public repository at pgp.com reverifies the keys from time to time. Earlier this week I got a couple of messages saying that if I still wanted them to publish keys corresponding to those addresses, click through and reconfirm. (Yes, I realize how weak this is, but in the circumstances it's better than nothing.) Your overall point that the problem with crypto is that it's unusable if you're not a hard core geek is of course correct. >Third, I note that when I receive a signed email that has gone through an IETF alias, I can no longer >verify the signature as a result of content modification. What is the value of a signature one cannot >verify? With the advent of DMARC, this problem now affects a lot more people than ones who are looking for PGP signatures. R's, John