Lynn! Before wasting too much list bandwidth, lets conclude that the TTP CA business and legal models are still to be determined by establishing practices. Not a single case have to my knowledge reached a court yet so [all] this is just "theory", "habits", and "speculation", albeit rather interesting such :-)
The following lines show that TTP CAs may have a long way to go: "In a simple TTP CA stale, static certificate model, without a business relationship between the merchant and the consumer's TTP CA , no business relationship has been created between the consumer's TTP CA and the merchant. Therefor there is no grounds to sue." An odd thing is that a major reason Identrus use a four-corner model is to have the relying party sign a contract freeing Identrus from liability! I.e. this is like accepting a typical US SW contract which says "AS IS", "NOT FIT FOR MISSION-CRITICAL USE", etc. Without having RP-contracts TPP CAs are (they claim so at least), potentially liable for whatever bad things the consumer does. I'm not the one to tell if this is wrong or not. Frankly, I don't _anybody_ with certainty can claim that something is right or wrong based on no practical experience at all, as this kind of TTP activity (unlike payments), is totally different from anything else we know. Drivers' licenses or passports are not comparable in any way as there is no physical appearance supporting the identification process. Lets take a new look in 3-5 years from now and see "what really happened". It will be a truly Darwinian process.... Anders
