The CPS states the authentication processes that the CA uses in issuing the certificate or otherwise certifying the key (amongst other things). You can trust the CPS in the sense that the CPS of a well known CA should provide you with a reliable indication of the level of risk involved in relying on the certificate. Yes there are ways to get hold of a certificate even if you are a bad person. In the credit card world every transaction carries insurance, so the risk is acceptable. In the spam control world the risk is that you get spammed, a problem but hardly a mission critical, can never happen compromise. In the Web Services world someone can steal goods or services, a real problem - so expect Web Services PKI services to be based on PKI models such as XKMS where insurance can be sold with each transaction. Ok so imagine the spam sender registers a bogus company, sends spam. What is the redress, how long can they get away with it and how easy will it be to get a replacement certificate? It is likely that spam senders are going to get caught pretty quickly, within the first 100,000 messages or so. Spam a honeypot, get your credentials revoked. In theory you could revoke at that point. For technical reasons I won't bore you with it is more likely you would want to not revoke the cert and instead revoke a 'trustworthy sender' attribute. This can still be advertised through XKMS. It is even possible to push the revocation notice out so that the emails can be retrospectively quarantined, this would require new protocol. A spam sender could attempt to use disposable certificates in the same way that IP addresses and dialup accounts are considered disposable. This is unlikely to work for long, the spam sender can set up lots of shell companies at the same address but if the CA keeps authenticating to the same address or phone number the pattern will soon become apparent. There is even an empirical measurment of how effective a CA's processes are. Just look at the scores that spamBayes is assigning to certs from different CAs. The zero-Authentication CAs will quickly be attacked by spam senders. Phill