Users may wish to obtain certificates which do not imply any organizational affiliation but which do purport to accurately and uniquely identify them. Such users can be registered as residential persons and the DN of such a user should be consistent with the attributes of the corresponding X.521 object class. Over time we anticipate that such users will be accommodated by civil government entities who will assume electronic certification responsibility at geographically designated points in the naming hierarchy. Until civil authorities are prepared to issue certificates of this form, residential user CAs will accommodate such users.
Because residential CAs may be operated under the auspices of multiple PCAs, there is a potential for the same residential CA DN to be assumed by several distinct entities. This represents the one exception to the rule articulated throughout this document that no two entities may have the same DN. This conflict is tolerated so as to allow residential CAs to be established offering different policies. Two requirements are levied upon residential CAs as a result: (1) residential CAs must employ the residential DN conflict detection database maintained by the IPRA, and (2) residential CAs must coordinate to ensure that they do not assign duplicate certificate serial numbers.
As an example, a residential user certificate might include a subject name of the form: C = "US" SP = "Massachusetts" L = "Boston" PA = "19 North Square" CN = "Paul Revere." The issuer of that certificate might have a DN of the form: C = "US" SP = "Massachusetts" L = "Boston". Note that the issuer DN is superior to the subject DN, as required by the IPRA policy described earlier.