I didn't bother imbedding the RSA Unaffiliated User CA because I didn't think server operators would use it to get certificates.
Well, it's what Apple is using for PowerTalk signers (which are a key pair and X.509 certificates, by default from the Unaffiliated User PCA). It makes sense for personal (as opposed to organizational) servers, such as someone running MacHTTP for their home page... On the other hand, if RSA has set up a server PCA, that should be suffcient for now. I wonder what the certification policy is, though--how do you prove that you control a given server? For an Unaffiliated User CA certificate, you just have to show a notarized application and two forms of ID, one with a photo (driver's license, passport, etc.). I can't off hand think of an equivalently strong way to ID control of a server... Amanda Walker InterCon Systems Corporation