Bob,
Your certificate syntax fails on several counts, it surely fails to
act as an extension to 1992 certificates by leaving out the UIDs
which other more mature specifications (X9.30 for example) make
use of !
1) You continue to allow DNs for identification purposes but suggest
that perhaps they be kept "minimal". I don't understand, do
you want to retain DNs or not ?
2) You specify an extension to the certificate syntax without
consideration of the purpose or semantics.
a) Why are arbitrary attributes being BOUND IN with
a key certificate ? Why can't they exist as
separate (dare I say MIME-like or X9.30) objects ?
b) Who assigns them and why should the recipient believe
them ? Who assigns the CA's attributes, ad infinitum
... ?
c) How are these things revoked ? What is the mechanism ?
Do they expire ? What if the authority of the issuer
is revoked or expires ?
3) You can't really think that the "end-to-end" certificate
discovery process is going to scale well ? (Then again ...)
Talk about cumbersome ?! How is it going to be managed ?
4) Why are you suggesting a new syntax without (admittedly !) studying
other existing works ? Surely you don't think you are the first
to encounter these problems or that this problem is so unique
that other architectures have nothing to suggest or offer ?
John