Section 8 is said non-normative. But it makes use of normative keyword MUST ("The PDP MUST treat this consistently ..."). Conversely, there is use of "must"in a non-normative way, which is confusing ("An implementation must take care to authenticate the contents of <PolicyIssuer> elements before the policies are included in the PDP.") Why make such strong statements if not deemed necessary to implement? DOes this mean an implementation will not work properly if these non-normative "must" statements are not satisfied?