Proof of Possession
Not every CA/RA will require Proof-of-Possession (of signing key or of decryption key) in the certification request protocol. Although this specification STRONGLY RECOMMENDS that POP be verified by the CA/RA (because created certificates become less meaningful in the PKI otherwise; see Section 2.3), this may ultimately be a policy issue which is made explicit for any given CA in its publicized Policy OID and Certification Practice Statement. All end-entities should be prepared to provide POP (i.e., these components of the PKIX-3 protocol should be supported).
CAs/RAs may therefore conceptually be divided into two classes (those which require POP as a condition of certificate creation and those which do not). End-entities may choose to make verification decisions (as one step in certificate chain processing) at least partly by considering which types of CAs have created the certificates included in the chain.