At 7:46 5/7/96, Raph Levien wrote: [...]

The S/MIME spec indicates the use of X.509v3 certificates, which, in turn, are explicitly allowed to contain trust roots originating in the client's local configuration. In other words, yes, the spec allows for a Web of trust. The big question, of course, is how easy the key management will be in such a case. Everything I've seen points to key management being super-easy if you use VeriSign certs, and probably just as bad as PGP otherwise. Unlike PGP, most e-mail clients will probably not come configured with the capablity to sign other keys - in the X.500 world, e-mail clients and "certification authorities" are two separate applications.

Since VeriSign is going to issue certs for nyms for free, the only requirement being uniqueness, using their certs might not prove much of a problem. Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.