Peter,
It is interesting that we are drawing notably different
conclusions on the intent of some of the policy capabilities
of the certificate PDAM. My understanding is based on the
following assumptions:
1) The purpose of the certificate is to establish a binding
between a key and an identity.
2) The certificate extensions must support the ability
to automatically validate the purported binding. This is
reflected in the CA identification and name constraint/chain
processing features.
3) Some identities (users) may have multiple keys (for the
same or different algorithms). As a convenience/help to validators,
usage information provides guidance on matching certificates and
an application/usage.
4) Different CAs will implement their procedures, especially
the establishment of the user's identity, with differing levels
of confidence. The policy information provides information about
the rules and procedures enforced by the CA (and by extension, all
subordinates) in support of determining suitability of this
certificate for a given purpose.
5) Authorization information is not part of the X.509 certificate
(unless added in private extensions or included attributes).
I think the basis of our disagreement is that you are coupling
usage information (which I view as guidance) with authorization
management (which I believe is external to the certificate).
I think this is an important area to explore so that there is more
common agreement on the semantics of the certificate fields as
people start to plan for their use. Such agreement is needed if
the goals of automated validation and decision making are to
be met.
Dave