Steve,
For the first case, I would observe that if the IRS was a PCA
there would be no question about how to handle this, but that may
not address some aspect of the problem you envision. I think that
the DN you proposed isn't entirely inappropriate. One can imagine
such an entry in the DIT, but usually it would be an alias, pointing
to the real entry for H&R Block. Note that there might be some
slight confusion with the specific example, since if H&R Block were to
register as an organization H&R Block would probably be a CA name,
with the companion private component used to sign certificates, not
tax returns. However, the full DN would be different in that case.
(I suspect a real example might involve a bit more granularity, with
each H&R Block office getting a diffrent certificate. If the IRS
doens't want to get involved in that level of management, it would be
better to make the H&R Block entry a CA, and let Block do
certification for each office ...)
For the second case you are right that the guidelines
explicitly prohibit issuaance of a residential user certificate with
any claim of organizational affiliation. The argument is that it is
inappropriate for someone to claim such affiliation via this
registration path, probably with no way for the named organization to
be informed of the implied relationship. I don't see this as an
inappropriate constraint (obviously, since I authored the document) on
the registration of residentail users. I would worry about the
implied coordination of having a PCA that deals with residential users
trying to do any reasonable sort of check to ensure that a claimed
organizational affiliation is legitimate, even given some reasonable
latitude in PCA policies. The various forms of ID which I have as a
resident of my home do not incorporate any reference to my employment
at BBN.
Steve