> > I don't want to discount the importance of cert discovery, but I do > > think it's a stretch to believe that you're going to be willing to trust > > all of the certs that you discover in a chain of significant length, for > > a significant set of purposes. > > So do you think that there's a necessary difference in trustworthiness > between the certs that you "discover" when you take your computer out of > the box, or download the latest browser, and those that you would discover > via some lookup mechanism? Even if the certs discovered via that > mechanism were associated with policies based on explicit agreements > and terms of use between your organization and the various issuers? no, I think there's likely to be a difference in the trustworthiness of a short chain of certs involving a small number of other parties vs. that of a long chain of certs involving a larger number of other parties. and if the cert discovery mechanism can incorporate personal and/or site policy, that's great - as long as it knows which policy to use under which circumstances. in general I think the longer the cert chain, the narrower the applicability. Keith