On Wed, 12 Jun 2002, Keith Moore wrote: > I don't want to discount the importance of cert discovery, but I do > think it's a stretch to believe that you're going to be willing to trust > all of the certs that you discover in a chain of significant length, for > a significant set of purposes. So do you think that there's a necessary difference in trustworthiness between the certs that you "discover" when you take your computer out of the box, or download the latest browser, and those that you would discover via some lookup mechanism? Even if the certs discovered via that mechanism were associated with policies based on explicit agreements and terms of use between your organization and the various issuers? - RL "Bob"