Rich,
Thanks for forwarding your message. The observation I'd like
to make is that "role occupant" is not a reasonable attribute for
inclusion in a DN. It's fine to have it as an attribute in the
directory entry, but not as a distinguished attribute.
The use of procedural controls on keys, or of dual signatures
on documents (one using the role key and one using the individual
key), strikes me as the preferred ways to bind both the individual
user and his role authority into a signature. Externally, a trading
partner might be most concerned about the role ID, to ensure that the
signature is a valid one representing the company. For internal audit
and accountability purposes, the specific PA who signed the document
is of interest. However, the latter requirement can be met in various
ways, two of which were illustrated above.
So, I'm not sure that we need to represent both the role name
and the individual's name in a single DN.
Steve