Bob,
When you state that you don't know why Certificates have DNs, I worry.
When you state that you have a copy of X9.30 and talk to the X9 folks
but haven't read the document and apparently are unaware of the
work being done with attribute certificates, I worry.
When you state that X9.30 does not support exclusion, I worry.
(As I said, you can create any attribute your heart wishes ...)
When you propose a syntax _change_ to a defined object (Certificate)
so that it branches rather than _extends_ the definition, I worry.
When you propose a distribution system which is apparently not
going to scale well and defend it by saying that users
only communicate with a limited set of people ..., I worry.
(That statement constitutes an admission that it won't scale well !)
When you state that a CA is going to be able or willing to
'endorse' or 'assign' attributes without considering whether
this will be true for any set of INTERESTING attributes, I worry.
(X9.30 allows for separate management of attributes by CAs or
any authorized issuer.)
Whey you fail to address how and when attributes might expire or
be singularly or severally revoked, or what impact it might have
if the attribute in question is typically short lived, I worry.
When you fail to address the issue of what it may mean to revoke
a CA's authority (attribute) to delegate, I worry.
I don't know what to think when you propose a syntax to this
group and haven't supplied a detailed context or semantic.
****
I think it would be constructive if you would present a concise
list of defects in PEM. When the list is agreed upon, then
solutions can be proposed.
I even volunteer to be the recorder. Send the defects to me, I will
try to compile and organize them and submit the list to the group
for comment.
John