The document > - 'Memorandum for multi-domain Public Key Infrastructure > Interoperability' > <draft-shimaoka-multidomain-pki-11.txt> as an Informational RFC creates the impression that "trust anchors" must always be self-signed CA certificates. What is a trust anchor MUST remain completely up to local policy (which might be a client-local policy in some scenarios), there should be NO restriction whatsoever what can be configured as a trust anchor. The idea of a trust anchor is that we trust the (public) key of the trust anchor, that the PKI implementation may perform a reduced (certificate) path validation only up to the trust anchor. The management of trust anchors is also completely a local (policy) issue, i.e. what keys are considered trust anchors, how they are distributed, managed and updated. I am violently opposed to the documents requirements and restrictions what may an what may not be a trust anchor certificate. Document published by the IETF (even if just Informational) should neither make unconditional restrictions (MUST NOT) nor unconditional requirements (MUST) for the selection of trust anchors. Instead, Protocols and implementations SHOULD support the use of arbitrary trust anchors as desired by local policy. -Martin _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf