I learned a lot from working on x500Name-match, and would like to update x500Name-equal to be consistent as follows: This function takes two arguments of "xacml:x500Name" and returns "xs:boolean". It returns true if and only if each Relative Distinguished Name (RDN) in the two arguments matches. Two RDNs match if an only if the result of the following operations is true: First, normalize the two RDNs according to IETF RFC 2253 "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names Names". Second, if any RDN contains multiple attributeTypeAndValue pairs, re-order the attributeTypeAndValue pairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec. X.690 (1997 E) Section 11.6, "Set-of components"). Finally, compare the RDNs using the rules in IETF RFC 3280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", Section 4.2.1.4 "Issuer". Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692