> I think this is bad from security point of view. If you are extracting key > from certificate and using it alone, then you lose "validity" information. > IMHO, if you want to use X509 PKI then you should use certificates > directly instead of hacking them. Unless you're using XKMS, in which case all such "trust" decisions are off-loaded to a central server. /r$