David Chadwick writes:
Hi Mike
there is more to it than what you propose, and this is the second point I make ie. whether 2 different users can be given the same DN or not by different CAs (we assume that the same CA will be competent enough to not do that). If the answer is yes, then your whole infrastructure is broken. If the answer is no, then the sentence below should be changed
Well, in the long long ago, the signing policy was in fact designed for just this situation: CA A & CA B both certify subject name X. Relying party has to decide which one of these versions of X it is willing to trust (or both or neither). We don't allow this problem to exist in IGTF accredited CAs by policy. And it is generally agreed that such collisions are so undesirable that this policy is not controversial. There is nothing that can be done about non-accredited CAs (such as government or commercial CAs for instance), altho many of them constrain their namespaces adequately so as not to be a problem.