Peter,
Each PEM UA must have the IPRA public key available to it.
That key is unique because it is not in a certificate and it is the
root of all certification paths. The IPRA signs ceretificates only
for PCAs, thus a PCA certificate is easily identified by being signed
by the IPRA. While we have been waiting to the IPRA to come into
existence, a good PEM implementation might provie a facility for users
to accept PCA public keys and insert them into the cache. These have
to be treated specially, in the absence of the IPRA, as they cannot be
signed (other than self-signed) and thus should require some special
effort to be inserted into the cache. There is no requirement for any
special name string to appear in a PCA DN, or for that DN to have a
specific form.
Steve