problem is that consumer don't normally know that they want to check on a particular merchant's CRL entry until they realize that they want to go to that merchant site. in general, the consumer's aren't going to want keep a local (usenet) database of all CRL entries (however they are distributed) ... so it is more likely the ISP would have to keep all the entries ... pushed into a database ... and let the consumer do an online database lookup of the CRL entries (effectively the local ISP is keeping cached copy of all entries ... and uses usenet as the distribution infrastructure). sometimes, usenet can take several hrs to a day to propogate ... so the person may still want to do an online transaction against the agency that issued a certificate In which case, the local ISP would be considered a "stand-in" ... maintaining a negative file ... and returning positive answers if there isn't a match in the negative file for the online transaction ... in which case the consumer may still want to do another online transactions against the master file (located somewhere in the internet). Given that online transactions are being performed ... then it may even be more straightforward to use domain name infrastructure to manage distribution and management of cached entries. It has a somewhat better online transaction semantics than usenet (already). However, since this is turning into online transaction infrastructure ... it is then possible to eliminate both the certificates and CRLs totally and just use the straight-foward domain name infrastructure. back again to certificates typically being superfulous and redundant in an online infrastructure. "Arnold G. Reinhold" <reinhold@world.std.com> on 11/27/2000 07:53:35 AM Please respond to "Arnold G. Reinhold" <reinhold@world.std.com>