Section 1.3.2 :
Does each organization has only one RA member ?

Section 2.1 :
According to the latest version Authentication Profile for classic x.509 Public key Certification Authorities with secured infrastructure .....
(1) The RAs must record and archive all requests and confirmations.
(2) The CA is responsible for maintaining an archive of these records in an auditable form.
(3) Can add more detailed the relationship between CA and RA

Section 4.1 :
(1) If the application "if" approved ....  this word "if" might be incorrect..
(2) The certificate is created by online machine or offline machine

Section 4.4.1 :
Accourding to one left the organzation or any stop service server , it should revoke their certificates.

Section 4.4.2 :
Who can request revocation ? According to the latest version Authentication Profile for classic x.509 Public key

Certification Authorities with secured infrastructure .....

Revocation requests can be made by end-entities, Registration Authorities and the CA. These requests must be properly
authenticated. Others can request revocation if they can sufficiently prove compromise or exposure of the associated private key.

Does KISTI GRID PKI managers is CA manager ?


Section 4.4.3 :
(1) Your CPCPS is When a certificate is revoked, the owner of the certificate will be notified the revocation by email. Who sends this notification ?
(2)The revocation request must be sent via a secure method such as signed email.

Section 4.5 :
I thought you caould add more audit information . Does CA manager need to audit RA ?

Section 4.8 :
If the CA server is damaged , is there any remedy ?