PIC and RFC 2510

[Bernard Aboba <aboba@xxxxxxxxxxxxx>]

RFC 2510 (and its successor in progress, 
draft-ietf-pkix-rfc2510bis-04.txt),  includes a number of requirements for
Public Key Infrastructure Certificate Management Protocols. From page 7 of RFC 2510bis:

"5. PKI management protocols must allow the use of different
industry-standard cryptographic algorithms, (specifically
including RSA, DSA, MD5, SHA-1)....

6. PKI management protocols must not preclude the generation of 
key pairs by the end-entity concerned..."

However, http://www.ietf.org/internet-drafts/draft-ietf-ipsra-pic-03.txt
notes in section A.4:

"The protocol as described requires the policies of Client and Server to
match regarding credentials. For example, an unrecoverable protocol error
results if the Client is unable to produce a private key but the server requires this
capability. 
    
Several approaches for credential negotiation were considered and rejected
for this protocol, in the interest of simplicity. The general case would
require negotiation of multiple properties in parallel, for example: 
    
   - Is the private key generated by the Client or the AS. 
   - What type of certificate is required, in particular which algorithm. 
   - What length of keys is required, for each of the credential's
       components."

It would therefore appear that PIC does not meet the RFC 2510 requirements
for certificate management protocols. How do we resolve this?