>we can also probably (though i've not checked) coerce the nbwww key
>into signing the "NetBSD CA" key, thereby establishing a line (note,
>not a web) of trust back to one of the "globally recognized CAs".

Very unlikely, a cert from veri$ign etc that would allow you to do that
would cost a lot more than a simple host cert, and there's very little 
benefit to us in doing that.  The "globally recognized CAs" are only
useful to browsers - because most users do not want to think about
deciding whom to trust.

Thanks
--sjg