The second to the last paragraph of clause 13 of X.509 says: In both deployment models, the SOA issues attributes/privileges to subordinate AAs. The AAs then request the DS to issue a subset of these privilege attributes to other holders. In the second deployment model, the DS can check that an AA is delegating within the overall scope set by the SOA; in the first deployment model, the DS cannot check and the relying party will have to check that delegation was performed correctly. I assume that it should say "privilege verifier" instead of "relying party". Right? Erik