Hi Tony, Thanks for your comments. Certainly, the concept of trust broker will have to be removed if the trust broker concept is eventually rejected. As to your last points. This sentence could be retained. Erik Fra: Tony Rutkowski [mailto:tony@xxxxxxxxxxxxx] Sendt: 14. oktober 2013 14:06 Til: Erik Andersen; Directory list; SG17-Q11 Emne: Re: [T17Q11] X.509 Summary for next (2016) edition This revised summary clearly reflects a profound change in scope and concept by introducing and defining a "trust broker," as well as moving away from X.509's relatively narrow purpose by your eliminating the sentence "these frameworks may be used by other standards bodies to profile their application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI)." Who is seeking these changes? Who made the decision? --tony On 10/14/2013 6:14 AM, Erik Andersen wrote: Hi folks, It has been decide to make X.509 a pure PKI/PMI specification moving pure directory stuff to other parts (X.511 and X.520). That includes Password Policy. This requires the Summary to be updated. The old Summary is: Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines a framework for public-key certificates and attribute certificates. These frameworks may be used by other standards bodies to profile their application to Public Key Infrastructures (PKI) and Privilege Management Infrastructures (PMI). Also, this Recommendation | International Standard defines a framework for the provision of authentication services by Directory to its users. It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed using cryptographic techniques. While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services. A first draft for a new summary is proposed here: Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines frameworks for public-key infrastructure (PKI) and privilege management infrastructure (PMI). It introduces the basic concept of asymmetric cryptographic techniques. It specifies the following data types: public-key certificate, attribute certificate, certificate revocation list (CRL) and attribute certificate revocation list (ACRL). It also defines several certificate and CRL extensions, and it defines directory schema information allowing PKI and PMI related data to be stored in a directory. In addition, it defines PKI entity types, such as certification authority (CA), attribute authority (AA), relying party, trust broker and trust anchor. It specifies the principles for certificate validation, validation path, certificate policy, etc. Please comment. Any suggestion is welcome. Regards, Erik