Each entity has a clear and unique Distinguished Name in the certificate subject field, structured according to X.501.
Any name under this CP/CPS will start with "O=dutchgrid". Thereafter, the subscribers class, defined as either "users", "hosts" or "servers", shall be attached in the form "O=class". The "users" class shall contain only certificates for subscribers that are natural persons. The "hosts" class shall contain only certificates for subscribing entities that are automated systems, applications or services. The private key for "hosts" certificates may be stored in an unencrypted form. The "servers" class shall contain only certificates for subscribers that are automated systems, applications or services. The private key for such entities must be stored in proper encrypted form only.
The subject name must contain the affiliation of the subscriber to his organisation. This organisation must be one of the organisational end-entities detailed in section 1.3.3. If an organisation consists of multiple administrative divisions, the division name must be included in the subject name as an organizationalUnit. Changes in division name that do not change the organisational layout of an organisation, do not constitute reason to invalidate the current unit name.
The subject name must contain the full name of the subscriber. In case the subscriber is a natural person, this name must correspond the his name given at birth. In case more than one first name is associated with the subscriber, no more then one of these need be specified in the subject name; which first name is included is left to the subscriber. Additional attributes may be post pended to the full name of the subscriber. Such attributes will be clearly separated from this full name.
In case the subscriber is a internetwork entity, the fully-qualified domain name (FQDN) must be used in the subject. In case no such FQDN is assigned, the entity is not eligible for certification under this policy. The FQDN may be preceded by an identifier representing a network service. The domain name part of the FQDN will be used as an organizationalUnitName. Hosts contained within the same logical network entity may be aggregated into the same organisational unit, even when the domain name part is different.