[Account Linking] Subject CN of recently issued PIV differs from Guidance

[pdemro]

Description of Issue:

Subject CN appears different from documented examples for NASA PIV. I am using the following powershell to output the subject:

Set-Location Cert:\CurrentUser\My
$certs = Get-ChildItem | where-object {$_.Subject -like "*jgdoe*"}
$cert = $certs[0]
$cert.Subject

Example from Documentation: C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=25001003151020

Actual: OID.0.9.2342.19200300.100.1.1=jgdoe + CN=John Doe (affiliate), OU=People, OU=NASA, O=U.S. Government, C=US

Details of Issue:

1. Username formatted identifier (rather than ID number suggested in guidance)
2. Unexpected "+" syntax separating CN and OID

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Guidance From https://piv.idmanagement.gov/networkconfig/accounts/

Question

I have a few questions related to this discrepancy

1. Is the User name considered a unique ID for the issuing agency (in this case jgdoe)
2. Does the affiliate tag have an impact on the formatting of the Subject? In other words, would a FTE have different subject formatting than an Affiliate (other than the "affiliate" tag in parenthesis)
3. Is there any guidance for an end-user to retrieve their Subject similar to the DOD's CAC EDIPI: https://register.eucom.mil/EDIPI.htm

Thank you in advance. Happy to update the documentation with findings here if it would be helpful

[maxwellfunk]

1. User name or CN should be unique to an internal issuing agency, but there is no guarantee that there are not external collisions
2. yes
3. EDIPI is in several certificate fields to include Subject alternative name as a prefix to a UPN, this is similar to FASC-N or UUID for PIV holders.