insures -> ensures This one the one hard enables -> This functionality enables "they accept from any [the] issuing authority to only those identifiers that are [agreed to be] subject to a specific Authentication Profile." (remove words in brackets) subsequent authorization decision -> ... decisions The last point ("make validation...") is too vaguely stated. Any certificate in the chain implies that the RP should honor arbitrarily Policy OIDs embedded in self-issued proxy certs. I suggest narrowing this down to EE and sub-CA certs for now. You could add another wishlist item that middleware providers should honor the same configuration syntax that controls the OID set and namespace constraints... (and the CAOPS group should quickly find volunteers that nail down that syntax). /Olle