Mike, A good CA revocation policy can specify an authentication mechanism used to verify that a revocation request is genuine. The examples you cite don't exhibit such a mechanism. I hate to see this justification for the suspension facility, but I'm beyond complaining about this CRL feature. Steve