diff --git a/CertificationPracticeStatement.html b/CertificationPracticeStatement.html
index e6ad9fc..8b37b15 100755
--- a/CertificationPracticeStatement.html
+++ b/CertificationPracticeStatement.html
@@ -3121,16 +3121,11 @@ Refer to SM3.1 "Logical Security - Network".
 
 <h3><a name="p6.8" id="p6.8">6.8. Time-stamping</a></h3>
 <p>
-Each server synchronises with NTP.
-No "timestamping" service is currently offered.
+The Signing Server receives the time through the serial link, but the synchronisation has to be done manually by a sysadmin.
+All other servers synchronise with NTP or HTTPDATE.
+CAcert might offer a Timestamping Service, or might approve an existing Timestamping Service.
 </p>
 
-  <ul class="q">
-    <li> How does the signing server syncronise if only connected over serial?</li>
-    <li>  How is timestamping done on records?</li>
-  </ul>
-
-
 
 
 <!-- *************************************************************** -->
@@ -3148,7 +3143,6 @@ by the Member or the Non-related Person.
 
 <h3><a name="p7.1" id="p7.1">7.1. Certificate profile</a></h3>
 <h4><a name="p7.1.1" id="p7.1.1">7.1.1. Version number(s)</a></h4>
-<p class="q"> What versions of PGP are signed?  v3?  v4? </p>
 
 <p>
 Issued X.509 certificates are of v3 form.
@@ -3163,18 +3157,16 @@ Client certificates include the following extensions:.
 <ul><li>
     basicConstraints=CA:FALSE (critical)
   </li><li>
-    keyUsage=digitalSignature,keyEncipherment,cRLSign
-  </li><li>
+    keyUsage=digitalSignature,keyEncipherment
   </li><li>
     extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
   </li><li>
     authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
   </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
+    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>) (can be marked critical).
 </li></ul>
   <ul class="q">
     <li> what about Client Certificates Adobe Signing extensions ?</li>
-    <li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
   </ul>
 
 
@@ -3190,7 +3182,7 @@ Server certificates include the following extensions:
   </li><li>
     authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
   </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
+    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>) (can be marked critical).
 </li></ul>
 
 <p>
@@ -3205,10 +3197,9 @@ Code-Signing certificates include the following extensions:
     extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
   </li><li>
     authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
+  </li><li>
+    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>) (can be marked critical).
 </li></ul>
-  <ul class="q">
-    <li> what about subjectAltName for Code-signing</li>
-  </ul>
 
 <p>
 OpenPGP key signatures currently do not include extensions.
@@ -3251,7 +3242,7 @@ into certificates:
  </tr>
  <tr>
   <td>
-    1.3.6.1.4.1.18506.4.4
+    1.3.6.1.4.1.18506.4.4.1
   </td>
   <td>
     Certification Practice Statement
