David Chadwick writes:
this is a very interesting viewpoint. What you are saying, if I put it another way, is that everyone can have a completely random name, its irrelevant what it actually is, as long as the user can authenticate to that name (via signing something whose signature validates with the certificate containing that name) and then as long as the authorisation infrastructure can reliably get the set of attributes that are bound to the same name, then correct authorisation can be performed, regardless of the name of the user. In which case name constraints are irrelevant. I would agree with that
That's pretty much it. In practice, people (=relying party representatives, say) usually want something meaningful in the name at least for "people" certs. Most people recognize now that this is not sufficient to identify a particular person but it humanizes the certs. Perhaps this makes the workflow a little more efficient for everyone.