Reading the slashdot from 4 days ago, it seems the main cost would be setting up an network isolated box and feeding it blank media till you had enough certs to go around and then making sure the passphrases for the private key were recoverable (yeah I know it's not as provably secure, but we're dealing with humans here) in case the hapless forgot theirs.
Aw, hell, just run the CA on a spare partition on one of your webservers, use the ips of nimda infected hosts to seed your prng and see just how little security you can get away with, he, he Maybe that's the answer, instead of a few big CA's with wretched security you go for a zillion cheap and crappy CA's and exploit the redundancy IOW if a significant minority of the CA's you've dealt with say you are a liar and a cheat and the ones who rate you most trusted are themselves down rated.... sort of an anthill, bird flock, thing -- http://www.efn.org/~laprice ( Community, Cooperation, Consensus http://www.opn.org ( Openness to serendipity, make mistakes http://www.efn.org/~laprice/poems ( but learn from them.(carpe fructus ludi) _______________________________________________ Eug-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug