-- SSH server public/private keys are widely deployed. PKI public keys are not. Reason is that each SSH server just whips up its own keys without asking anyone's permission, or getting any certificates. Outlook and outlook express support digital signing and encryption -- but one must first get a certificate. So I go to Thawte to get my free certificate, and find that Thawte is making an alarmingly great effort to link certificates with true name information, and with the beast number that your government has assigned to you, which imposes large costs both on Thawte, and on the person seeking the certificate, and also has the highly undesirable effect that using these certificates causes major loss of privacy, by enabling true name and beast number contact tracing of people using encryption. Now what I want is a certificate that merely asserts that the holder of the certificate can receive email at such and such an address, and that only one such certificate has been issued for that address. Such a certification system has very low costs for issuer and recipient, and because it is a nym certificate, no loss of privacy. Is there any web page set up to automatically issue such certificates? The certs that IE and outlook express accept oddly do not seem to have any provision for defining what the certificate certifies. This seems a curious and drastic omission from a certificate format. Since there is no provision to define what a certificate certifies, one could argue that any certification authority that certifies anything other than a true name connected to a state issued id number, the number of the beast, is guilty of fraud. This would seem to disturbingly limit the usefulness and application of such certificates. It also, as anyone who tries to get a free certificate from Thawte will discover, makes it difficult, expensive, and inconvenient to get certificates. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 7rl5qfyPL81rhIdYUGyx/+C8WqCcrYTgFcl1rLUX 4F/YurXISWTFVDuUgRsBx/0QJKrnyQcX24+wmb5i3