Superconductor

In a perfect world, all standards would be useful and reflect a consensus of experts. Unfortunately, we don't live in such a world, so some standards aren't very useful. This makes things tricky for vendors who have to explain to customers why they don't follow certain standards. A good example of this is ISO 15782-1, Certificate management for financial services – Part : Public-key certificates. Section 6.3.4 of this document has the following requirement for certificate authorities:

c) ensure that there is no duplication of the requester's distinguished name with that of any other entity certified by the CA

This means that once you get your first certificate, you can't get another one, which is a requirement that makes other best practices impossible. It's common, for example, for users to have three different certificates: one that's only used for encryption, one that's only used for digital signatures and one that's only used for authentication.

But if you follow ISO 15782-1, you can't get three certificates for the same person unless the certificates are requested for different names. So while you can't get three certificates for "Bob," you could get three certificates for "Bob, the guy who needs to encrypt," "Bob, the guy who needs to use digital signatures" and "Bob, the guy who needs to authenticate." Most systems don't give users such names, and I'm not sure that modifying your naming scheme to work this way is even a good idea. This makes it very unlikely that any CA is going to follow ISO 15782-1.

This requirement seems to also make it impossible to get a new certificate after a certificate expires. After all, the user with the name "Bob" is still the user with name "Bob" after his current certificate expires. The workaround for this is even worse. You could have a user "Bob, the guy with certificate number 8675309," and change his name to "Bob, the guy with certificate number 8675410" when he his old certificate expires and he gets a new one, but this is an even wore idea than changing the name to reflect the use of a certificate. Another workaround is to have a user "Bob, the guy living in the year 2008" and another user "Bob, the guy living in the year 2009," but that's not really a good idea either.

So there seems to be no reason for a reasonable PKI product to actually follow ISO 15782-1. It's probably too much work for vendors to try to explain why following ISO 15782-1 doesn't make sense, so they're probably more likely to just have an option for their CA products that puts you into ISO 15782-1 mode, even though absolutely nobody will ever run their product in that mode.