The FAL specifies processing xAL's at RP end. From security perspective I feel this is a good requirement for sensitive RPs. https://pages.nist.gov/800-63-4/sp800-63c/fal/#request-xals. We should maybe specify it as a SHALL for common requirements spec.