Denis:
Gentlemen:This is a response to your communiqué of 2007-10-05 re Defect Report 320 submitted to ITU-T SG17. The PKIX Working Group met in Vancouver on 2007-12-03 and discussed your message and DR 320. We agree that the X.500 model, and X.501 specifically, defines a DN as a globally unique identifier in The Directory. As you noted, name uniqueness is a critical feature of hierarchic distributed naming schemes, such as X.500 and the DNS, and for e-mail addresses. In the Internet we have successfully dealt with the problem of name uniqueness for DNS names and, as a corollary, for RFC 822 e-mail addresses. However, it has required a substantial investment of resources over about 25 years to achieve our current status in this regard. Unfortunately, the X.500 directory model, perhaps in part because of its richer naming semantics, has not achieved the same status. It often is not an easy task for a CA to examine a proposed name and determine if the Subject has the right to that name, when the name is a DN.I propose to delete the following sentence, since we do not agree with all the observations made in DR 320.Thus we agree with the observations made in DR 320.It is a fact that Certification Authorities (CAs) are being deployed with names chosen locally, without acquiring a DN from a naming authority.This sentence is very important and its consequences should be mentionned. I propose to add the following text:"As a consequence, nothing may prevent two unrelated CAs to choose the same DN for two different entities (e.g. end-entities, CAs, CRL Issuers, OCSP responders). By implication, a CA DN and a serial number taken alone do not necessarilly identify a single entity".
This is not the whole story. We have requirements about the CRL and certificate signer certificates chaining to the same trust anchor. To me, this significantly reduces the concerns.
Russ