Sorry, but I'm not quite getting what is so problematic with what
Christopher and Oscar proposed:
What really stops me from leaving Subject field empty, and including BOTH my
e-mail address (as RFC822name) and my name/surname as a proper(!)
DirectoryName into SubjectAltName field?
I believe that the root of the problem is in [mis]interpretation of the
"uniqueness of the name" requirement. The document says in (4.1.2.6
Subject):
-------------
Where it is non-empty, the subject field MUST contain an X.500 dis-
tinguished name (DN). The DN MUST be unique for each subject entity
certified by the one CA as defined by the issuer name field. A CA may
issue more than one certificate with the same DN to the same subject
entity.
--------------
This is what Stefan was referring to, right?
However, there is NO such uniqueness requirement for the DN included into
the SubjectAltName. Or I've missed one. So I do not see a problem with
having a SubjectAltName containing non_unique DN, as long as the rest of the
information in the extension makes it unique.
We're in the process of revising the alt subject name text, and one
of the proposed changes is to treat it as stringently as the subject
name. I believe text citing the uniqueness check, as well as CA
verification, has been circulated. Irrespective of this, other
traffic I've just sent discusses the question of whether/how an email
address fits into a DN.