Suppose I am a CA. I am worried that by issuing a certificate with a lifespan of more than 2 milliseconds I am opening myself up to unlimited liability if for some reason, despite my best efforts, I issue an erroneous certificate. I know I can write disclaimers, but that's not reliable since courts often ignore them, and anyway it scares off customers. I know I can put an expiration date on the certificate, but that's not enough. I can accumulate a lot of exposure in a few seconds, much less weeks. I know I can put a reliance limit in the X.509 ver 3 certificate, but that's not enough. Even a $1 limit could be used many millions of times. Is it feasabile to say: Can only be relied on once per day/week/month? Is this something the relying parties can reasonably be expected to monitor? It seems to me that this sort of a limit is essential if a CA is to feel comfortable outside Utah.... A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.