Well, Rob quoted the text from RFC 1422 as follows:
To complete the strategy for ensuring uniqueness of DNs, there is a
DN subordination requirement levied on CAs. In general, CAs are
expected to sign certificates only if the subject DN in the
certificate is subordinate to the issuer (CA) DN. This ensures that
certificates issued by a CA are syntactically constrained to refer to
subordinate entities in the X.500 directory information tree (DIT),
and this further limits the possibility of duplicate DN registration.
CAs may sign certificates which do not comply with this requirement
if the certificates are "cross-certificates" or "reverse
certificates" (see X.509) used with applications other than PEM.
This appears to make the CA a registration authority for names. "In
general, CAs are expected to sign certificates only if the subject DN in
the certificate is subordinate to the issuer (CA) DN." Is this what is
meant?
Also, In RFC 1422, 3.3.4, saying "listed" rather than "registered" when
referring to the Directory would be better.
Ella Gardner
MITRE