From Sam Hartman:

The advice at the end of section 3.5 indicates that there is a DOS attack if
SIDs are not cryptographically random, but only requires at a SHOULD level that
they be cryptographically random.  Why is this not a MUST? 

Also, given the security properties of SIDs, is it really appropriate for each
NSLP to choose the SID itself?  In particular, without making assumptions about
lack of structure in a SID, how can you analyze the structure of GIST?  Could an
NSLP embed IP addresses or other structured data in a SID?  If so, wouldn't that
have an adverse security impact?