dual access control (physical and technical but first organizational apsects)
access control but who controls the access control regulations (no self control)
how to integrate privacy officers public certificates - not always public certificates - which fields must be published? PID vs. new ID what is the identity of a person in convetional areas
There are numerous situations where it is a good idea to operate more than one PKI for endusers. Perhaps you need a server CA and a seperate user CA. Sometimes an old CA is still active by issueing CRLs because there are still valid certificates but the new CA already issues certificates. Other people using different CAs to establish an easy access control by the certificate chains (so called trust paths). You see there really many situations where you have to operate more than one PKI.
The most PKI programmers like me have no problem to distinguish between different PKIs because we always ask who issues this certificate but which normal user do this. He simply looks at the certificate, calls the hotline and asks why the certificate for Jon Doe with the serial 12345 does not work. The guy from the hotline looks into it's computer and answers that the certificate is correct and valid. So what's going on?
A certificate has two significant things to identify a certificate which are different from the common name in the subject of the certificate and which are easy to handle (by the way keyID and issuer from the authority key identififer are not easy to handle for an enduser). First there is a serial and second there is an issuer. If a customer calls a hotline then the easiest way to handle a problem are organization wide unique serials. If you start a second CA or you have to repalce an old CA never reuse serials if this is possible. You will search for hours if somebody calls you and reports a broken certificate chain for certificate 12345 and you two of those certificates. If you ever issued certificates with identical serials then always asks for the issuer if you receive an error report. Never ever create a replacement for an old CA with the same name. It only course trouble.
The resume is very simple. If you avoid duplicate identifiers then automatically avoid many problems.