Bob,
You seem unhappy that only certain attributes were chosen for
use as DISTINGUISHED naming elements.
(5'2" - eyes of blue) may be distinguishing to you but is merely
descriptive, i.e. attributes to me.
AttributeCertificates as proposed by X9.30 in fact do NOT contain
the holder's DN but a pointer (consisting of issuer DN, UID etc.)
to the holder's key certificate. (Note that one needs to use a
DN to lookup and validate the AttributeCertificate issuer as well)
X9.30 would allow you to construct any attribute or group any set
of attributes your heart desires, associate those SIGNED attributes
with a primary certificate, and manage them through an entirely
separate hierarchy. Included could be the "Bob Jueneman Trusted
Mail Address Attribute" which could be signed in (digital) blood
by the GTE Lawyers(tm).
You still haven't supplied me with a global reference key (DN)
and database (Directory) to find your foomail certificate and
authorizations so I can decide whether to talk to you or not !
John