In the profile proposal for Publicly Readable Certificates we have the text:
"iii. The CKA_USER attribute on the certificate must be present and set to CK_TRUE."
I replicated that text into the profile document where it reamains; however there is no defined CKA_USER attribute so it is rather unclear to me as to what was meant here and if we do have a new attribute being defined then it needs to be allocated and documented.
The only thing that I could think that it might be meant to be is CKA_PRIVATE with value of CK_FALSE - but as I wasn't the author of the proposal it remains unclear if that was the purpose.
And it would also make sense that all objects being returned in this context SHALL have CK_PRIVATE set to CK_FALSE as they are all being noted as visible without authentication (login) having been performed.