If one instead of using the role attribute type define in X.509 uses an
extension specified for that purpose and thereby assigns privileges to a
public-key certificate without the use of the subjectDirectoryAttributes
extension, is this a violation of X.509? Does it prevent the use of some of
the extensions defined in Section 3 otherwise only allowed if the
subjectDirectoryAttributes extension is included?
It is not a theoretical question. IEC 62351-8 defines such a role extension.
As it published in 2011 and as it is a key smart grid security
specification, it is probably implemented in a lot of systems. It will be
used in the Danish grid (whether I like it or not).
Regards,
Erik