Frank Siebenlist writes:
Are you suggesting that we should keep the CA always with the DN for all the authorization decisions? (Essentially pushing the policy enforcement of name+CA to the authorization stage and throwing-in the towel as far as the pkix/x509 global-naming dream is concerned...)
Yes. To all. As DC mentioned there is available to us a global naming strategy. It is not perfect and it has some side effects, but it can at least reduce some of the human confusion. However, you still have to include the issuer in any decision, because you have to have some assurance that the binding was legitimate. We don't yet (won't ever?) have an a priori way of knowing that.
If not, or maybe not, or sometimes not, should we move to a model where the CAs remain in the authorization picture and asserted names should always be considered in the context of the issuer?
I think this is the safer of the 2 choices you offered.