Bob,
roleOccupant is a reasonable attribute in an entry for a role,
but I question whether it is reasonable for it to be a distribuished
attribute in such an entry. Let me try to motivate this observation:
One could establish an entry for a role such as " Vice
President, Sales" with the intent that the private key corresponding
to certificate associated with that role would be made available to
the individual who was the current occupent of that role. If one uses
hardware cryptographic tokens of some sort, (e.g., smart cards, smart
disks, PCMCIA cards), then the card containing the private key would
be phycisally transferred to the new Sales VP along with the key to
the big corner office, etc. The individual who fills the role might
have his own certificate that identifies him merely as an employee of
the company, with no indication of title. An advantage of this scheme
is that it minimizes CRL listings when people change jobs.
For external purposes, it may suffice to have a document
signed with the private key corresponding to the role of Sales VP,
irrespective of the individual currently occupying that role. The
fact that the current role occupant is capable of using the token to
sign the document may suffice for external business purposes, where
the concern is not so much WHO signed the document but whether the
signer was AUTHORISZED (empowered) to sign on behalf of his company.
Internally, there is usually an accountability requirement that might
be met by having the role occupant ALSO sign the document, so that we
know which Sales VP (serially over time) committed the company on
that money loosing fixed price bid ... Use of multiple signatures on
a document would support this model of doing business.
Although I recall Mr. Jones not being fond of this model, when
I mentioned it previously, I don't recall any substantive, technical
arguments being put forth.
Steve