Peter,
I think John did a good job of addressing your questions and
the issues you cited. The current key management scheme is intended
tod accommodate a wide range of PCA policies yet to make it clear to
each user what policy is in force for certificates issued under that
PCA. It is not necessary to impose DN constraints on PCAs or between
PCAs and CAs to make this work. The only requirements on DN
subordination arise below CAs. The software checks in UAs to enforce
the certification hierarchy are simple and a user should be able to
view the DN of the sender (or recipient), plus an indication of the
PCA involved, and get a good idea of what he can infer about the
sender.
Steve