Ray,
As Jim pointed out, the IPRA is the root of the tree and it's
public key is acquired through some out-of-band means. There is no
entity to sign a certificate for the root (no entity is superior to
it) so it's entry is special and can be appropriately tagged as such
in the database. The IPRA certifies only PCAs, making them the second
level of the tree. Their entries can be taged with an PCA marking, or
it can be inferred by their direct relationship to the root (IPRA).
CAs start at level 3, and may appear at lower layers as well. The
name subordination rule applies to entries at level 4 and below, i.e.,
a level 4 (or lower) certificate must contain a subject name
subordinate to its issuer name.
Steve