Another lurker jumps into the ring.....
This begs the question: do certificates identify an individual or a role?
There is no effective way for a single certificate to do both.
A second question becomes are certificates appropriate for role definition?
Certificates are usually valid for a span of years. My role changes
constantly, who I am never really has. Role definition might be best left
to other objects within a public key infrastructure, such as a directory
leaf entry as an example. After all, certificates, while important, do not
a pki comprise. The important thing to get right, and this is process not
technology, is that the email alias is mine, not ours, if you catch the
drift.
Certificates identify whatever you choose to identify. Certificate
Policies specifiythe meaning of the naming in the cert.
Attribute Certs are better for dynamic things like roles, as they allow you
to separate the management of the role/credential/attribute from the
management of the key. An attribute cert is rather like a normal
Certificate but does not contain a public key (although it does contain a
pointer to it).
Unfortunately there is not a lot of support in vendor products yet, but
they will get there eventually.