I should perhaps make it clear that a party may be trusted but untrustworthy or trustworthy but not trusted. The fatal mistake in security system design is to assume that the terms "trusted" and "trustworthy" are synonymous.
We have been building untrusted key certification and revocation services and an explicit audit policy that allows us to determine whether these services have misbehaved. Interestingly, such distrust may be of benefit not just to the customer, but also to the service provider.
For more information, contact mark.lomas@cl.cam.ac.uk.