Mark,
X.501(93) 8.3 seems to say "A single value instance of any attribute type may
form part of the RDN, depending on the nature of the object class denoted.".
DN's have equality matching, so they should be usable as value instances.
If this is refined elsewhere to restrict certain values from being in RDNs,
I'd like to see this - some other things I'm working on put attribute sets and
DNs into attributes, and these attributes might be used for naming.
The actual sentence says "A single value instance of any APPROPRIATE
attribute type may form part of the RDN, depending on the nature of the object
class denoted."
Now what the heck does that mean? I'm assuming that it means appropriate to
the
object class denoted by the RDN.
Since the object class organizationalRole include roleOccupant, roleOccupant
ought
to be a valid attribute, and a DN a valid value for that attribute type.
UTCTime, on the
other hand, would not be a valid attribute.
If roleOccupant is a valid attribute type, then the syntactic definition of
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
distinguishedName ::=RDNSequence
would NOT appear to rule a nested DN.
I also like your observation that the roleOccupant is a PURPORTED DN, since
no confirmation is made that that even person exists, much less is registered
in the
directory.
In fact, I could almost argue that the DN in the X.509 certificate is a
purported DN,
since, particularly in the PEM without X.500 case, there is no requirement that
that person actually be registered, or even that a functional X.500 exist!
Maybe we should just look at these things as funny character strings, and ignore
some of the more esoteric and theological X.500 implications for now?
Bob