Abstract Two-party communication protocols for public-key cryptosystems are studied. The formal models are based on the definitions given by Dolev and Yao. While the main concern of Dolev and Yao was security, the subject of the present paper is the ‘verifiability’ of protocols. If a protocol is both sender-verifiable and receiver-verifiable, then either participant can detect when a false or altered message has been injected into the system and can refuse to respond to such a message. Hence, the power of a saboteur can be severely limited if at each stage the participants refuse to continue the exchange unless the last message received complies with the protocol. This means that the message authentication problem of Diffie and Hellman  can be solved. To formally describe the notion of verifiability, ‘sender-verification sequences’ and ‘receiver-verification sequences’ are introduced; if a protocol has a strong sender-verification (receiver-verification) sequence, then there is a simple algorithm that the sender (resp., receiver) can use to determine at each stage whether the last message received complies with the protocol. The main results are characterization theorems for both symmetric cascade protocols and symmetric name-stamp protocols that have strong sender-verification sequences or strong receiver-verification sequences. In addition, characterization theorems for nonsymmetric cascade protocols and non-symmetric name-stamp protocols that have verification sequences that are not necessarily strong are developed.