Bob,
In response to your questions:
1. (Steve Kent) Is the inclusion of multiple CNs within the
Distinguished Name field of a PEM certificate a correct interpretation
of X.509 and RFC 1422? It certainly seems to be from my reading of
X.520.
You cannot put multiple CNs into a single RDN; that is prohibited
under the X.500 rule that prohibits ANY attribute from appearing
multiples times within a single RDN. Thus multiple CNs must appear at
different levels. Think about what this means. Imagine a DN
terminating a leaf that is distinguished by one CN attribute (C=US, O=
GTE, S=MA, OU= Laboratory, CN= Robert Jueneman). Now consider adding
on other CN attributes below this one, to accommodate all those other
names you illustrated. That doesn't sound right to me in most
instances. Also, it yields multiple entries, each of which can have
its own certificate, but you can't have one certificate for all of
those entries.
2. (Steve Kent, again) Is the inclusion of a Description field in the
Distinguished Name field of a PEM certificate a correct interpretation
of X.509 and RFC 1422? Again, it seems to be.
Description is clearly an attribute that is not intended to be
distinguished. I think if you re-read the sections of X.500 about
naming you can see whay this would be a silly attribute to be
distinguished. So, it does not belong in a certificate subject or
issuer field.
3. (Steve Kent, the NADF, the gods of X.500 political correctness, et
al.) Given the unavailability to date of an explicit Disclaimer or
similar field to be used for the purpose of defining the limits of
liability a user is willing to agree to, would the use of the
Description attribute for the purpose of describing such a Disclaimer
be considered egregiously poor form?
See answer above about putting a Description attribute into a DN.
Yes, one could put the disclaimer in the description field, but if
that field is not put in the DN, you don't achieve what I suspect you
really want.
6. (George Parsons and/or Steve Kent, etc.) Will the RSA/BBN
Certificate Issuing System allow such constructs in a user's
Distinguished Name when endorsing the user's certificate?
I think the SafeKeyper is pretty liberal about what attributes
it accepts in a DN, though Charlie Gardiner is the real expert on that
since he developed teh code. At one time we were picky, but, in the
interest of generality, I think we may have dropped the checking for a
specifically allowed set of attributes in DNs. RSADSI will have to
answer about what their software checks. However, I think the issues
here are not only what particular hardware or software will allow, but
what makes sense in a larger context.
Steve