I wrote: >They do however contain usage indicators (e.g. usable for email but not for >running a web server), but everything pretty much ignores those so the >attack is still possible. Hit send too soon, that should have ended with: "or contains nonsensical values that you can't rely on even if you wanted to". Peter.