Mark,
I suppose I could be assigned a DN of
C=US,O=Internet, OU=BUNNY.GTE.COM
CN=rrj0.
But as Jeff Schiller said once, "it just might
work, but it would be wrong!", at least from
the standpoint of any PCA that would represent
itself as having any type of high assurance
policy.
That is the major criticism I would have of the
draft policy for the COST PCA -- it uses that
type of low assurance binding of DNs to Internet
names, yet they call themselves a high assurance
PCA.
On the other hand, such an approach might represent
a useful halfway step between the completely
anonymous Persona PCA and the RSA Commercial
Hierarchy, which (hopefully) will evolve to support
at least some type of legally binding commitment.
It wouldn't mind, for example, if the TIS-PCA were
to adopt this approach for casual email, including
privacy and semi-authentication, since most of that
user community doesn't seem to care all that much
about trust issues in any case.
Just don't try to send the Sheriff or a process server
to an e-mail account!
Bob