David:I think we have reached agreement on the vast bulk of the things in my message and your reply.
One exception:
One more item. Russ wrote: > I see no reason for there to me more than one all-powerful TA as > long as the all-powerful TA can be used to make updates to the > all-powerful TA, say when two enterprises merge. The reason may be dealing with private key compromise in a tractable fashion - if an all-powerful TA needs to be revoked (e.g., via a CRL), it would be more than convenient to have another one to use. Two should be enough.
You cannot deal with trust anchor compromise with CRLs. Trust anchors represent the beginning of a certification path, and thus they do not have a parent to issue the CRL.
I agree that trust anchor compromise deserves some attention. SET offered a solution, which may be covered by a patent held by VISA International. I am aware of at least one other solution, but it is not clear if a patent is in the works or not. I'm trying to find out.
Russ