On Thu, 20 Dec 2007, Nicolas Williams wrote: >> - ignore domain if applicable (eg. mail-to-user mapper) > >That could only be OK if the set of trust anchors is narrow enough. hmm, not sure what you mean by this. If I understand that correctly, one KMF policy means one trusted anchor only. J. -- Jan Pechanec