5.1.3 Authorization Validation and Filtering

When processing SIDs from an IP/STS, relying parties must ensure that the IP/STS is authorized to issue SIDs that fall under a particular set of subauthorities. This is similar to namespace collision concerns with UPN and EmailAddress claims (as specified in [MS-MWBF] section 5.1.6).<25>