"Is this the distinguished name that you thought you were specifying ?".
For any worthwhile level of assurance, answering this question relies
surely upon maintaining an assured Directory Service. In a public Directory,
(just one form of X.500, remember, though; there are others) this cannot
by any means ever be assumed, when based on std access protocols, and open
cooperative administration.
Should, however, a Directory entry attribute represent the results of
SIGNATURE upon the EntryInformation, where the signer operates the same
assurance policy as for the certifed public-key/name binding, then
relying upon an X.500 Directory for searching and obtaining name mappings
will be open to no new threats to which PEM does not already address
itself. Search (possibly unreliably), in the hope of success, then
validate the info independently of the service's purported success.
This is the strategy for certified public-key/name bindings. Now also
for any other binding for which similar assurance is required..... Surely
the best way is to let PEM serve itself this function, as I have
suggested before.