A detail that hasn't been mentioned in this discussion is that in
X.521's recommendation of how to construct the dname for an
organizational role, the "nested" dname of the occupant is optional.
The discussion so far seems to reflect the view that therefore the value
is never present.
However, X.521 also says that a role is normally considered to be filled
by a person. Therefore, in practice, I would expect administrative
naming authorities to include the dname of the actual person occupying
the role. If this practice is adopted, I believe it speaks to the
principal areas of concern being discussed, particularly if the public
key in the certificate changes (as well it should) every time the actual
occupant changes.
Jim