Ref: Your note of Thu, 12 Sep 1996 19:03:02 +0200 (MET DST) > how do you plan to handle certificate expiry without shared time? time for certificate expiration and time for freshness/anti-reply in key exchange protocols are two very different issues. The need for the first doesn't justify its use when generating fresh session keys. Hugo