Alas, certain critical social steps have been elided in the proposed protocol. As it happens, I'm working on an article, to be published in the Oregon Law Review next year, on "The Importance of Trusted Third Parties in Electronic Commerce". It's mostly about the care and feeding (and legal liability!) of a CA. Unfortunately for this discussion, I'm only part way through my thinking about what the liability of a CA might be so I don't have carefully considered conclusions to offer you. Try me again in a few weeks. In the absence of legislation... [PLUG: if you haven't already done so, RUSH to my homepage http://www.law.miami.edu/~froomkin and click on the link to the ABA draft of the digital signature guidelines. This mis-named document is actually all about CA liability. Comment period now extended to mid-January.] ...you need to worry about who might *use* the certificates, and what they might to do the CA in the case of mis-certification or other misfortune. At the very least, there is a tort claim for "negligent mis-representation" the first time an inaccurate certificate, or an accurate certificate referencing a compromised key, is used in a transaction that goes sour. I don't give legal advice on line, ever, so I can't tell you how to avoid liability. I'm not even sure that this is possible absent legislation. I can, however, mention techniques that at this writing seem to me to be an essential part of any liability-reduction strategy, without any claim that these alone suffice to protect you to the level that I would want to be protected (I'm a cautious guy). Repeat: I do claim that pending further thought these steps seem necessary, **not** that they are sufficient: A) Establish a clear certification policy document, describing in detail what checks are made before issuing a certificate, how quickly CRLs are posted, and where. This doesn't mean onerous checks are necessary, just that you need to be clear as to what checking a certficiate from you emboidies. Publish this document. B) Reference this policy document in every certificate. C) Don't settle for less than X.509 ver 3, because this allows the certificate to carry within it a reference to the location of the CRL list. Use that feature. D) Establish a very reliable mechanism to ensure CRLs are posted where and when they should be. E) Use a secure, trusted, computer system. Again, I note that this is NOT a complete list of what you need to do. For more inspiration consult the ABA document referenced above. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.