Steve,
The suggestion I made for adding an "ID number" attribute for
use in DN has nothing to do with the 1992/3 X.500 spec addition of the
unique ID fields. Those fields are NOT part of the DN, only part of
the certificate. Those new fields would help deal with the serial time
uniqueness issue IF you didn't already have an employee ID number.
Sorry, I confused the "subjectUniqueIdentifier" in the certificate with
the uniqueIdentifier defined in X.520 '93. But I am still somewhat
confused in trying to understand the mechanics of how we should
implement the addition of your "ID number" for use in the DN.
(There is also the dnQualifier (defined in the '93 version) which could
potentially be used, and it is a printable string rather than being a bit string
the way the UID field is defined.)
However, I would think that the serialNumber attribute would be the best
choice, although at present it seems to be associated with devices.
(The first time X.5xx makes a reasonably concrete suggestion re semantics,
I want to generalize it!)
Would the serialNumber attribute (attribute type 5, defined in the '88 version
as well as in the '93 version) meet your "silliness" test for a distinguished
attribute, for inclusion in a DN?
Would the various implementations that are out there or about to be out there
support it?
Bob