I don't think you will ever come close to finding them all with such an
approach, because the users in question are hidden behind firewalls and
on systems such as AOL, CompuServe, etc. I think the CAs and/or PCAs
are going to have to register the names with an appropriate database or
directory at the time the certificates are proposed to be generated.
That's exactly what we are doing, but in our sub-hierarchy.
At least as far as I recall, the DN name collision problem only applies
to Residential Person users. (Organizational users have to solve the
problme for themselves, using a serial nuber or other convention if
necesary within their company.).
The problem may also appear at the first CA level below the PCA !
To the best of my knowledge, neither the PEM WG nor the INA ever
defined a core set of attribute types that are required to be supported
(by the PCAs, the certificate generation software, and/or the PEM
software) for such purposes, much less a recommended schema for them.
The X.521 "useful attributes" are neither necessary nor sufficient for
this purpose.
We have selected the subset of these attributes in our
CA Registration Form.
It is increasingly obvious that the architectural development of PEM
essentially stopped a year or so ago, leaving many of these practical
and interoperability issues as yet unanswered.
In order to make our Certificate Management System smooth and
user-friendly, we have done some architectural extentions, which
we will report in San Diego.
Regards,
Sead Muftic