Peter,
You are quite right to piont out that the certification system
we are establishing may, hopefully will, be used by more than PEM.
1422 makes explicit provison for this by noting that although
cross-certification is not allowed for PEM, CAs participating in the
certification system may cross-certify for uses other than PEM. Thus
the burden of checking for cross-certification as a violation of PEM
certification rules is borne primarily by UAs.
I'd like to underatand more about your use of X.509
certificates for rule-based access control in the directory
environment. I was involved in a directory security project that
addressed that problem. We noted the lack of such controls in the
directory and adopted techniques to compensate, but they are not
"standard." We also had the advantage of working in a context where
the authorization attributes were bound to the public key inside the
certificate, so there was no need to work with the DNs to achieve the
stated goals. I can't necessarily recommed this approach in general,
but it happened to be consistent with the crypto technology we were
using and thus we exploited that "feature."
Steve