This is a really nice article. By way of a little history, the specification that defines certificates is X.509, and is part of the series that describes the OSI Directory - which ended up simplified as LDAP. A certificate contains, in effect, a bunch of LDAP attributes - and so it literally can contain Bob's photo via the jpegPhoto attribute. That's not likely to happen, though, because a Certification Authority ought to only sign a certificate when it can verify every attribute within it.
One thing you haven't mentioned is revocation and status checking... But maybe I should write something on that.
Which I've done: Licensed Revoked; Certificate Status Checking in PKIX.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.