A real-world object refers to a person, an organization, etc. An entry
in the Directory models a real-world object. A DN uniquely identifies
at most one entry in the Directory.
The Directory is a listing (publication) mechanism, not a registration
mechanism. (Consult SD-5 from the NADF for the differences; see RFC
1417 for information on the NADF's SD document series.)
Consider the DN
{ c=US, st=California, o=Dover Beach Consulting, Inc. }
It is a matter of fiction to assert that any binding exists between the
entry pointed to by this DN and the real-world. The entry may be
modelling a corporation registered with Californi'a Secretary of State.
It may be modelling something else.
The only way to determine if there is a binding is to understand the
relationship between registration and listings when DNs are assigned.
This knowledge lies OUTSIDE of the Directory. Without this knowledge,
you can't look at an arbitrary DN and make reasonable inferences about
the corresponding real-world object.
So, all a certificate really tells you is a pairing between two DNs.
How those DNs relate to the real-world is something outside the
Directory.
We could just as easily define a new certificate structure using RFC 822
addresses (local(_at_)domain). The same distinction between registration and
listing exists.
/mtr