I may be naive here, but I assume if someone comes with
a valid X.500 DN, it will be OK to use - provided it is
also consistent with the constraints of PEM regarding
the DNs in certificates signed by CAs - hierarchical
org name binding (to oversimplify).
Well, yes and no. Yes, a valid DN could be used, and technology wise, there
is nothing to stop one from doing so. However, it terms of legally
representation, you would probably do well not to choose certain DNs. For
example, should you try to register CNRI as US, NY, IBM, a large, blue
corporation might be upset. NADF 175 deals with this potential naming
problem by having X.500 DNs match the names assigned under the civil naming
hierarchy. Since this hierarchy already attempts to provide uniqueness, X.500
uniqueness falls out naturally. In addition, this has the added benefit of
reducing the need for legal action to defend the validity of a name. As
I mentioned in my previous message, this does not preclude listing of a
name in many places in the DIT, but through constructed names (multi-attribute
RDNs), uniqueness is preserved. I don't think that PEM constraints on DNs
really address this situation. Certainly, the choice of names is not
important to PEM (my org could be NASA, National Aeronautics and Space
Administration, or even NASA Ames Research Center). However, in terms of
what goes in the DIT, I use the name US, National Aeronautics and Space
Administration which follows the Congressional act which created NASA. I
don't use NASA because it is possibly ambiguous. To use a Stan Kelly-Bootle
example, IBM could be Irish Business Machines.
-Peter