Warwick,
There would appear to be four ways to deal with this problem:
1. Cram the necessary certification tree information into the
Unique ID field as you have proposed, although I confess that I
have not examined your suggestions along these lines in detail.
2. Overburden the existing DN structure with something like a
caName or caDistinguishedName attribute, along the lines that
Warwick and I have discussed.
3. Create a new X.509-like format which WOULD allow for
non-distinguished attributes.
4. Use an extended certificate type such as PKCS #6, where the
extensions would also be signed by the CA.
However, these span two different categories of solution - one
long-term and one a quick-fix.
Option 3 or 4 unquestionably provides the best long-term solution, but
it will take time to get such a solution accepted and implemented
throughout the PEM, PKC and X.500 communities. (The active ISO project
on X.509 revision, possibly force-fed by a PEM initiative, seems the
way to go.)
I agree. There clearly are pros and cons regarding amending X.509 vs.
adopting PKCS #6. If we could adopt a PEM solution as a medium-range
fix, it might goad the ISO folks into fixing the problem permanently, but
this might still take three years, after which time they might say no!
Options 1 and 2 are quick fixes. They aim for expeditious deployment,
because they do not impact certificate distribution systems. I think
either of 1 or 2 could serve as an adequate interim fix (provided it is
limited to use in CA certificates - NOT user certificates).
I believe a long-term solution is essential. I think a quick fix is
also needed but this may be debatable.
We've talked about an number of variations. Why don't you go back through
the various ideas, restate the problem, and make a definitive proposal?
Bob