Steve,
Different residential CAs may, of course, have different
policies. However, it is not too hard for a residential CA to require
some postal interaction with a registrant, to help ensure that the
claimed identity is at least good enough for the postal service to
deliver mail to the registrant's claimed address. RSADSI, in their
proposed residential CA offering, calls for notarization of idenity.
Others might use postal service mechanisms such as "deliver to
addressee only, return receipt requested." Nothing is perfect, but
I think users of the certification system can get some feeling
for the level of assurance implied by these sorts of policies.
What you seem to want is a facility that enables a user to
claim an organizational afffiliation, without any mechanism to ensure
that the claim has any basis. I can't see that such a facility is
either appropriate, or necessary. Also, this sort of restriction on
the form of residential user DNs is nothing new. These constraints
have been consistent for a very long time in certification hierarchy
discussions and I don't recall them being a source of contention on
PEM-DEV, or in the meetings which we held last September & October and
which were reported to PEM-DEV. This structure for residential user
DNs has been illustrated in slides at the PEM WG meetings in Santa Fe,
where no objections were raised. I don't understand this newfound
concern with regard to this aspect of the scheme.
Steve