Tom,
One needs to look at more than just X.509 and X.520 (attribute
types) to understand what constitiutes a valid DN, as I noted in my
previuous message this morning. In particular, look at X.521 (object
classes) to get a feel for what combination sof attributes are
generally considered to make sense for different types of entities.
RFC 1422 provides high level guidance ( a "muddle of ideas" in your
words) because it was felt that the PEM WG was an inappropriate forum
in which to establish directory schema. If you are familiar with
earlier versions of the PEM RFCs you will note that we explcitly cut
back on the constraints imposed on DNs in certificates for use with
PEM.
The bottom line is that we encourage people to select DNs that
will later be conformat to directory X.500 schema in which the
certificates may be stored, If you get really creative and use
attributes that are not considered distinguished, or if you use
attributes in combinations that are inconsistent with the object class
definitions for the directory in which you attempt to store your
certificates, then there will be problems. Thus, while it is true
that you can make up any DNs you like, the question is whether (or
more likely, when) they will come back to haunt you because they are
out of step with the directory schema and object classes that are
widely accepted.
Steve