It seems to me that this whole discussion centers around the question of
"what is the right way to denote a particular entity for the purposes of
forming and using a public key certificate?" And, as usual, I think that
the answer is "it depends on what you're trying to accomplish."
DNs are at one level an arbitrary set of attributes and associated values.
As such, they clearly have the expressive power to denote email addresses,
postal addresses, or for that matter biometric data. However, in actual
use they are almost always used as postal or organizational addresses (a
holdover from the X.400/X.500 models of the world), and the current set
of well-defined attributes reflects this. X.509v3 (or PKCS extended
certificates, or whatever) address this to some extent, but I can
definitely sympathize with the frustration expressed by John (and others
over the years) that DNs have not so far been good at meshing with how the
Internet in particular is actually used and managed. I can also sympathize
with people who simply don't like ASN.1 encoding; on the other hand, if we
don't use it we'll have to invent something close enough to it as not to
matter.
Amanda Walker
InterCon Systems Corporation