Let's step back a bit from the discussion we're having about encoding
email addresses in the distinguished name syntax and look at the trust
issue.
There are two name spaces in the discussion, traditional distinguished
names and email addresses. Part of what we're attempting to do is
establish a correspondence between them. The central question is who
owns the two spaces? A particular DN and a particular EN should be
joined together only if the two owners of the spaces agree to the
joining.
There are two important cases.
SAME OWNER: Let's suppose our system administrator owns all DNs
beginning with
/C=US,
/O=Trusted Information Systems,
and he also owns all domain names ending with tis.com.
According to our local rules, it's within his purview to make a joint
assignment, e.g.
/C=US,
/O=Trusted Information Systems
/CN=Stephen D. Crocker
and crocker(_at_)tis(_dot_)com
(I'm deliberately leaving unspecified how to weave these together.)
DIFFERENT OWNER: On the other hand, suppose we have a service
provider, e.g. openair.com, willing to sell numbered mailboxes to
anyone, and let's suppose that a small company, Three Lawyers on a
Stool (TLS), owns the distinguished name space for its company but
uses email accounts on openair.com. In order to join
/C=US,
/O=Three Lawyers on a Stool,
/CN=Curly
with 12345(_at_)openair(_dot_)com
the system administrator of Three Lawyers on a Stool and the system
administrator of openair.com will have to agree. This seems to me to
require two signatures somewhere along the line.
VARIATIONS: Name spaces can be delegated. For example, the system
administrator for Three LAwyers on a Stool may very well delegate to
each lawyer the right to enter correspondences involving his own name.
There is a lot more that can said, but the margin is too small ... I
mean I'm out ot time right now. Nonetheless, the basic issue should
be clear.
Steve