Since sending my message Friday, I have realized one problem with the
proposal. seeAlso is a multivalued attribute with values being single
DNs, not an attribute with a value being a set of DNs. Hence it cannot
be used the way I wanted in the multiple-subtrees example:
C=CA, O=BNR, CN="BNR Corporate CA #1", SA={(C=CA, O=BNR), (C=CA,
O="Northern Telecom"), (C=US, O=BNR)}.
Unfortunately there seems to be no X.520 attribute with a value
containing a set of of DNs. One way to achieve the desired result
would be simply:
C=CA, O=BNR, CN="BNR Corporate CA #1", SA=(C=CA, O=BNR), SA=(C=CA,
O="Northern Telecom"), SA=(C=US, O=BNR).
This gets the right information into the certificate but it is really
stretching things to suggest that this is truly a DN. Best we could do
is say it is a DN with a set of special AVAs appended.
I believe my proposal for the single-subtree case is sound. If we want
to extend to multiple-subtrees, a new attribute is clearly desirable.
Warwick