Yes, the CPS disclaims all WARANTIES. You do not want a CA that provides a recourse that depends on finding of fault. WARANTIES are a specific legal instrument that provides recourse through the courts under theories of merchantability and negligence. So you have to PROVE the CA did something wrong... you don't want that. What you want is insurance, read the relying party agreement. That specifically provides insurance for certain specific failures. In other words a NO-FAULT dispute procedure. Do you think that folk signing PGP keys are undertaking unlimited liability should the certification turn out to be incorrect? Folk use our $15 a year certificates for some hair raising stuff. There is a certain organization that moves very large sums of money every day whose PKI consists of buying a few hundred certs from our consumer site via credit card. So don't expect anyone to accept unlimited liability for a fixed $15 fee. If you want to have insurance on a per transaction model you have to go to an online technology. That is one of the many reasons we designed OCSP and then XKMS. I think the real problem here is that folk are demanding something that is impossible. They want a PKI that is entirely costless, failure free and provides unlimited liability. If you set that as the standard for existence of a global PKI then you are never going to see one. Security is risk control, not risk elimination. Phill