Bob:
I believe you have expressed the problems and potential solutions very
well.
There would appear to be four ways to deal with this problem:
1. Cram the necessary certification tree information into the
Unique ID field as you have proposed, although I confess that I
have not examined your suggestions along these lines in detail.
2. Overburden the existing DN structure with something like a
caName or caDistinguishedName attribute, along the lines that
Warwick and I have discussed.
3. Create a new X.509-like format which WOULD allow for
non-distinguished attributes.
4. Use an extended certificate type such as PKCS #6, where the
extensions would also be signed by the CA.
However, these span two different categories of solution - one
long-term and one a quick-fix.
Option 3 or 4 unquestionably provides the best long-term solution, but
it will take time to get such a solution accepted and implemented
throughout the PEM, PKC and X.500 communities. (The active ISO project
on X.509 revision, possibly force-fed by a PEM initiative, seems the
way to go.)
Options 1 and 2 are quick fixes. They aim for expeditious deployment,
because they do not impact certificate distribution systems. I think
either of 1 or 2 could serve as an adequate interim fix (provided it is
limited to use in CA certificates - NOT user certificates).
I believe a long-term solution is essential. I think a quick fix is
also needed but this may be debatable.
Warwick