[1] The directory services were developed to support requirements of X.400 electronic mail exchange and name lookup.
X.520 and X.521 together provide a definition of a set of attributes and object classes to be used for representing people and organizations as entries in the DIT.
The current use of X.509v3 certificates outside the Directory structure loaded directly into web browsers was necessary for e-commerce to develop by allowing for secure web based (SSL/TLS) communications which did not require the X.500 directory as a source of digital certificates as originally conceived in X.500 (1988).
One should contrast the role of X.500 and X.509 to understand their relationship in that X.509 was designed to be the secure access method for updating X.500 before the WWW, but when web browsers became popular there needed to be a simple method of encrypting connections on the transport layer to web sites.
[2] The WWW e-commerce implementation of X.509v3 bypassed but did not replace the original ISO standard authentication mechanism of binding distinguished names in the X.500 Directory.
These packages of certificates can be added or removed by the end user in their software, but are reviewed by Microsoft and Mozilla in terms of their continued trustworthiness.
Should a problem arise, such as what occurred with DigiNotar, browser security experts can issue an update to mark a certificate authority as untrusted, but this is a serious removal effectively of that CA from "internet trust".
X.500 offers a way to view which organization claims a specific root certificate, outside of that provided bundle.
This can function as a "4 corner model of trust" adding another check to determine if a root certificate has been compromised.
The contrast of this browser bundled approach is that in X.500 or LDAP the attribute "caCertificate" can be "bound" to a directory entry and checked in addition to the default pre-loaded bundle of certificates of which end users typically have never noticed unless an SSL warning message has appeared.
The "bound" distinguished name is located in the subject fields of the certificate which matches the Directory entry.
The certificate itself is public and considered to be unforgeable and can therefore be distributed in any manner, but an associated binding to an identity occurs in the Directory.
This was done in order to create a MITM attack against political activists in Syria accessing Facebook over the web.
The issue of an authoritative bind then is detailed in RFCs related to the accuracy of the DNS information secured by signing from the root using DNSSEC.
The concept of root name servers has been a source of major contention in the Internet community, but for DNS is largely resolved.
The X.500 pilot project has been in development in the commercial space, and the technology continues to be present in major installations of millions of users within corporate data centers, and within the U.S. Government for credentialing.