Bill,
Alias entries in an X.500 directory are pointers used to help
overcome the limitations of any choice of hierarchy. However, an
alias entry in the directory cannot contain a certificate, or any
other data. I bemoan the fact that alias entries cannot contain
certificates.
So, if one chases aliases to retrieve a certificate, when you
get the certificate its subject field will contain the DN of the entry
in which it was found (which may have only passing syntactic
relationship to the alias(es) which got you there). One ought not
trust the certificate to represent any entity other than the one
identified in the subject field. If this practice is followed, one
should not be tricked by the creation of aliases in the directory.
For example, if you were looking for the certificate for an employee
of Xerox and he happened to work in England, you might resolve a DN
under {C=US, O=Xerox} and get a certificate back with {C=GB, O=Rank
Xerox, ...}. You may be able to make a determination that the DN in
the certificate represents a resaonable ID for the individual in
question, even though the DN in the certificate is not exactly the one
you thought you would find as you browsed the DIT. However, a
non-obvious alias should raise a red flag, warrenting further
examination. Ultimately, as noted above, you should rely only on the
DN in the certificate, not the DN of the entry from which the
certificate was retrieved.
Steve