2. We should also have some text describing what should happen when an agent is asked to process an unrecognised extension. I.e should constraint extensions be "critical"? (I think so)
Probably. If they are, then we need a wrapper like Kerberos's "IF-RELEVANT" (see draft-ietf-krb-wg-kerberos-clarifications-04.txt 5.2.6.1), which is mandatory-to-implement and has the semantics that whatever's inside it is ignored if not supported.
Or, we could go the reverse route, making constraint extensions non-critical, but requiring implementation of a wrapper which makes its contents critical. While the two options are semantically equivalent, in this case, I think the former approach is better, because of the reduced chance of an implementation error leading to a security problem -- an implementation which fails to implement IF-RELEVANT correctly is more likely to reject a permissible request than to accept an prohibited one.
If we accept your proposal of replacing constraint ID's with strings, we can easily achieve this effect simply by partitioning the constraint namespace -- any constraint whose name starts with "OPT:" is treated as non-critical.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA