Ali,
In your response to you Charlie's comments, let me observe
that one can use a DN as input to an access control decision,
without need to add non-identifying attributes to a DN. One can
construct access control lists (ACLs), using DNs (and star name
DNs) as entries. With name subordination and global uniqueness,
these access control list entries can consist of just the subject
DN, or at most the PCA and subject DNs.
Note that without name subordination full certification paths
would be required for each ACL entry! Name subordination is
important both as a means of aiding in distributed name assignment
AND in protecting against the surprises that can otherwise result.
Finally, globally unique names could be constructed in lots of
ways, but many of these ways would not be very descriptive. Non-
descriptive unique names are hard to map to the real world and
this additional layer of mapping must be secure if we are to use
it as a basis for making value judgments and/or managing access
control. Thus use of non-descriptive names merely pushes the
problem of securely mapping them to some other, not yet specified,
part of a system architecture.
Steve