Paul,
I belive the canonical representation of a DN is specified by
the DER and the search rules you describe do not affect that
representation. I've seen nothing in the discussion of certificate
processing that would call for cannonicalization of the attribute
values within a subject or issuer DN in a certificate as part of
checking a signature. Thus I interpret your comment as relevant to
local processing relative to a search requested by the user through
his interface, rather than based on any incoming certificate info,
e.g., from a received PEM message or from a DUA transaction. In that
context, I would expect it to be more useful to map from local aliases
and DNS names to certificates, a feature that seems to be sorely
lacking in all of the PEM implementations I've seen to date.
Steve