Warwick,
I see your point.
Based on a suggestion by Steve Kent, I had been planning
to use something like
C=US, O=GTE Laboratories Incorporated, OU=Employee
as the name for the CA, but this was more for convenience
in designating the status of the user. Extensions
could then include OU=Resident Visitor, OU=Contractor,
OU=Dependent, etc.
Granting that "unnaturalness" is in the eye of the beholder,
as has certainly be demonstrated recently, would such a
usage strike you as unnatural? Moreover, whould you
feel the need to create aliases for every name?
I have not been able to think all through the implications
of your Authorized Subtree suggestions, or Francisco Jordan's
rather similar proposals yet, but on the surface they seem to
merit.
I am somewhat afraid, however, that these additional issues
may be enough to sink the boat, given the apparent willingness
of some to give up nonrepudiation, DNs, etc. and just embrace
RIPEM or PGP.
As an admittedly temporizing suggestions, I would suggest
either using something like OU=Employee, or otherwise
and second best, O=BNR, CN=Certification Authority #1,
with the understanding that the name subordination rules
would not apply to CNs (or perhaps to any attributes other
country, organization and organizationalUnit?).
Bob