G.1 Application Setup with Pull Management

Current definition:
After establishing a secure channel with the CertificateManager, the Application shall provide user credentials which allow it to register new applications and request new Certificates. The credentials may be provided by prompting a user or they may be one time use credentials delivered via some out of band mechanism such as a web site during the installation process.

Issue:
The whole StartSigningRequest/FinishRequest is build to allow the confirmation of the request in the GDS. It is even stated in FinishRequest "It is expected that a Client will periodically call this Method until an entity with access to the RegistrationAuthorityAdmin Role has approved the request"
Therefore we must allow Anonymous if the approval is done on the GDS side.

Proposed change
Add the following text:
The Application shall also allow the option for Anonymous user for the case where the CertificateManager supports approval of the registration and Certificate request by an administrator of the CertificateManager.

Current definition:
Once an Application has received its first Certificate then the Certificate can be used in lieu of user credentials when the Application needs to renew its Certificate or update its Trust List.

Issue:
We must make sure the client does not assume the user credential stays valid, can be persisted and used for following updates. Therefore we should clearly state that the credentials are NOT stored after the initial setup is completed.

Proposed addition to the above definition:
Change "then the Certificate can be used" to "then the Certificate with Anonymous user shall be used"
Add the following text:
The user credentials shall not be persisted in the Application after the initial setup with the GDS is completed.