Erik, You are walking on a field of mines. Nevertheless, it is good to have a ball rolling. Since, I don't like the proposal, I will explain shortly why and will attach a counter proposal. The first sentence is meaningless for me: "A trust anchor is an entity that is trusted by a certificate-using system supporting a relying party". The second sentence introduces the concept of "trust anchor store". This concept originally introduced in the PKIX WG is a non sense to me. Trust anchors may be grouped under a set of rules usually called a "validation policy" or a "signature policy". In a given set of rules there are trust anchors, but also conditions that shall apply to every certificate of a to-be-tested certification path, like OIDs for certification policies, key usages, etc.. Trust anchors cannot be be simply grouped in "trust anchor stores" since different constraints may apply to every trust anchor. I do know that MS has adopted a model where all CA are equally trusted, but this is far too restrictive and this should not be the general rule. Denis De : "Erik Andersen" <era@xxxxxxx> A : "Directory list" <x500standard@xxxxxxxxxxxxx>, "SG17-Q11" <t09sg17q11@xxxxxxxxxxxxx> Date : 14/07/2011 19:05 Objet : [x500standard] Trust anchor Envoyé par : x500standard-bounce@xxxxxxxxxxxxx I have produced a suggested new subclause for X.509. It is to be inserted just before a certification path subclause Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ http://dk.linkedin.com/in/andersenerik [pièce jointe "trust-anchor.pdf" supprimée par Denis PINKAS/FR/BULL]