I haven't had time to get back to this for more review, but 2 things: (1) name constraints. We need to say something about this. My understanding is that most grid middleware and many if not all applications will not be able to deal with name constraints (it's a critical extension, and most software doesn't know how to interpret it, and there are continuing problems with the PKIX interpretation rules). I was also told recently both that openssl had name constraint capability now, and that it didn't work. I think what we need to say is that this extension cannot (must not) be used currently in Grid middleware. Perhaps that could be should not, since a "private" grid might be able to pick & control x.509 software that can cope with name constraints. (It's also useless, except in networks of CA's, but we probably don't need to get into that.) (2) A subscriber asks about key usage settings for client & server (this is the NS cert type extension, not the other possibility). We set both for people - in the old days in Grids, people set up one off servers with personal certs, and so it was a "requirement". We are currently recommending not to use NS types at all; does this need refining? Thanks, ==mwh