Hi Folks, Note 2 of 8.3.2.1 (which should not be a note) states that the value of the public-key certificate subject field may hold an empty DN under certain conditions. The note of 8.3.2.2 states something similar for the issuer field. Somewhere down in clause 7, a little before the CertificationPath data type, the following statement may be found: The issuer and subject fields of each certificate are used, in part, to identify a valid path. For each pair of adjacent certificates in a valid certification path, the value of the subject field in one certificate shall match the value of the issuer field in the subsequent certificate. In addition, the value of the issuer field in the first certificate shall match the DN of the trust anchor. Only the names in these fields are used when checking validity of a certification path. Names in certificate extensions are not used for this purpose. What is true? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik