Each entity has a clear and unique Distinguished Name in the certificate subject field, structured according to X.501.
Any end-entity name under this CP/CPS will start with either "/O=dutchgrid", or with "/DC=org/DC=dutchgrid". Thereafter, the subscribers class, defined as either "users", "hosts", or "servers", shall be attached in the form "O=class".
The "users" class shall contain only certificates for subscribers that are natural persons. Their private key must be stored in a properly encrypted form.
The "hosts" class shall contain only certificates for subscribing entities that are automated systems, applications or services. The private key for such entities may be stored in an unencrypted form.
The "servers" class shall contain only certificates for subscribers that are automated systems, applications or services. The private key for such entities may be stored in an encrypted form.
The subject name may contain the affiliation of the subscriber to his organisation. This organisation must be one of the organisational end-entities allowed for in section 1.3.3. Inclusion of the affiliation is not optional for end-entities, but decided by the CA centrally.
If an organisation consists of multiple administrative divisions, the division name may be included in the subject name as an organizationalUnit. Changes in division name that do not change the organisational layout of an organisation, do not constitute reason to invalidate the current unit name.
The subject name must contain the full name of the subscriber. In case the subscriber is a natural person, this name must correspond the his name given at birth. In case more than one first name is associated with the subscriber, no more then one of these need be specified in the subject name; which first name is included is left to the subscriber. Additional attributes may be post pended to the full name of the subscriber. Such attributes will be clearly separated from this full name.
In case the subscriber is a internetwork entity, the fully-qualified domain name (FQDN) must be used in the subject. In case no such FQDN is assigned, the entity is not eligible for certification under this policy. The FQDN may be preceded by an identifier representing a network service. The domain name part of the FQDN may be used as an organizationalUnitName. If this domain-based organisationalUnit is not included, the common name must be prefixed by the regular organisation naming convention. Hosts contained within the same logical network entity may be aggregated into the same organisational unit, even when the domain name part is different.