Let me clarify the X9.30 (proposed) use of the subject UID. We specifically
allow the CA to issue multiple certificates to a user, to simplify recovery
from compromise, etc. There was a proposal to use the subject UID to
identify these different certificates (from someone more familiar with X9.17
than with X.509). But the simple combination of issuer name and serial
number accomplishes the same thing. (At worst, a verifier can just try ALL
of the signer's certificates until one verifies the signature.) We removed
this use of the subject UID, since it does break the 1993 ACL mechanism.
We say very little about the issuer UID field. This is different from
Francisco's discussion of multiple certificates issued by different CAs.
We don't discuss that very much, except to require the use of different key
pairs for each certificate.
Regards,
Rich