After considering more scenarios, I would rather do a bigger change and somehow extend the specification so that any SecurityPolicyUri can be set, but there will be a way to figure out whether the server (SKS) supports it or not, by a new method or read-only variable or something alike.

This is because, in fact, there is no "invalid" SecurityPolicyUri (maybe except for URI syntax errors). There are just SecurityPoliyUri-s that are just not currently supported by a particular server (SKS).
Even though we do not expect many PubSub security policies to ever exist, in general there may be more added in the future. And you need to consider practical scenarios like exchanging PubSub configuration files, and what happens if the file is loaded into a SKS but contains, at that moment, a SecurityPolicyUri that is not supported by the SKS currently.

An empty security policy URI (which I happened to use by mistake) might indicate that the SKS is free to use its default (which is what UaAutomation SKS prototype did) - but of course, the information returned GetSecurityKeys should contain the concrete security policy URI actually used, so that the consumers know which policy the security keys correspond to.

I am fine with the server adjusting the other parameters, and the reading back suggestion.

Added in OPC 10000-14 - UA Specification Part 14 - PubSub 1.05.0 Draft32.docx

8.7 SecurityGroupFolderType

Added new property:

HasProperty
Variable
SupportedSecurityPolicyUris
String[]
PropertyType
Optional

The SupportedSecurityPolicyUris Property contains a String array with the SecurityPolicyUris supported by the SKS. The Property shall be provided at the root SecurityGroupFolder.

8.8 AddSecurityGroup Method

Added clarifications to argument descriptions:
KeyLifetime
The lifetime of a key in milliseconds.
If the requested value exceeds the limits defined by the SKS, the value is adjusted by the SKS. The caller can get the revised value by reading the KeyLifetime of the created SecurityGroup.
SecurityPolicyUri
The SecurityPolicy used for the SecurityGroup. If a null or empty Sting is passed in, the SKS sets the default SecurityPolicyUri. If the SecurityPolicyUri is not known to the SKS, Bad_InvalidArgument shall be returned.
MaxFutureKeyCount
The maximum number of future keys returned by the Method GetSecurityKeys.
If the requested value exceeds the limits defined by the SKS, the value is adjusted by the SKS. The caller can get the revised value by reading the MaxFutureKeyCount of the created SecurityGroup.
MaxPastKeyCount
The maximum number of historical keys stored by the SKS.
If the requested value exceeds the limits defined by the SKS, the value is adjusted by the SKS. The caller can get the revised value by reading the MaxPastKeyCount of the created SecurityGroup.

Added to method result codes:
Bad_InvalidArgument
The SecurityPolicyUri is not supported by the SKS.

Agreed to text edited in telecon.
Needs 1.04 Errata to close.

Agreed to 1.04 Errata edited in Virtual F2F.