Hi, In the attachment is a sample XML schema and document instance that uses the Agreement Update extensibility feature to implement an IP address update protocol that might be useful for firewall rule configuration. Unlike the certificate update protocol, it is not intended as a "real" protocol but shows how the extensibility feature works. If you think it's not useful for potential users, let me know. (The exercise also helped me find and fix a bug in the AU schema). Pim Attachment: firewallconfig.xsd Description: application/xml <?xml version="1.0" encoding="UTF-8"?> <au:AgreementUpdateRequest xmlns:au="
http://docs.oasis-open.org/ebcore/ns/AgreementUpdate/v1.0" ; xmlns:fw="
http://namespaces.example.com/firewallconfig" ; xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" ; xsi:schemaLocation="
http://namespaces.example.com/firewallconfig firewallconfig.xsd"> <au:ID>81ff47c6-84e7-4e09-8f6b-76f7807622d1</au:ID> <au:CreatedAt>2015-05-12T13:18:33.289487Z</au:CreatedAt> <au:RespondBy>2015-05-19T13:18:33.289487Z</au:RespondBy> <au:CurrentAgreementIdentifier>oldagreement</au:CurrentAgreementIdentifier> <au:UpdatedAgreementIdentifier>newagreement</au:UpdatedAgreementIdentifier> <fw:FirewallUpdateRequest> <fw:AllowIP>10.1.1.1</fw:AllowIP> <fw:DenyIP>10.1.1.2</fw:DenyIP> </fw:FirewallUpdateRequest> </au:AgreementUpdateRequest>