As I have said before, the purpose of a CA is to authenticate a user's right to use a claimed name, and then bind that to his public key ie. to certify the key to name binding. ie., a certification authority. It is not, I repeat not, to be a naming authority.
regards David
As I have said before, the purpose of a CA it to be sure that if it is issuing a certificate either the DN has not been used before by that CA or it can verify that it is issuing the Cert to the same person as used the DN before. Unfortunately, this means storing Personally Identifiable Information so you can have something to check at time of renewal / re-issue ... and we are being required to have more and more protection associated with any PII we retain. Bob Cowles