l27.7: I think this text should be added as part of "3.2.2 Receipt of Client Request" or "4. Security Considerations": The KDC MUST verify that the endtime of the requested ticket is before the end time (notAfter time) of the client certificate. The KDC should still issue the ticket if the certificate is valid, but limit the endtime to the expiration time of the certificate. One argue that is really part of the folloing text in the security considerations: PKINIT extends the cross-realm model to the public-key infrastructure. Users of PKINIT must understand security policies and procedures appropriate to the use of Public Key Infrastructures [RFC3280]. But since I missed it, it might be good to add the text above.