I should mention at this point that self-signed certificates work in exactly the same way as ca signed certificates.

AspectWerkz also supports other method call signatures, though with a little added effort required in terms of the configuration.

Then it becomes possible for the signing key to be stolen by someone within the CA's work sphere who could then create arbitrary certificates with almost anyone's name.