Hi Erik they are the same entity, arent they? The privilege verifier is a component of the relying party regards David On 08/04/2014 15:45, Erik Andersen wrote: > The second to the last paragraph of clause 13 of X.509 says: > > > > In both deployment models, the SOA issues attributes/privileges to > subordinate AAs. The AAs then request the DS to issue a subset of these > privilege attributes to other holders. In the second deployment model, > the DS can check that an AA is delegating within the overall scope set > by the SOA; in the first deployment model, the DS cannot check and the > relying party will have to check that delegation was performed correctly. > > > > I assume that it should say “privilege verifier” instead of “relying > party”. Right? > > > > Erik > > > > > ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.