The descriptions for the functions x500Name-equal and x500Name-match in XACML_Functions.doc v13 are mixed up. In particular, the "x500Name-match" description is actually the "x500Name-equal" description. Here are the correct descriptions: o x500Name-equal This function shall take two arguments of "xacml:x500Name" and shall return an "xs:boolean". It shall return true if and only if each Relative Distinguished Name (RDN) in the two arguments matches. Two RDNs match if and only if the result of the following operations is true.[3] First, normalize the two arguments according to IETF RFC 2253 "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names". Second, if any RDN contains multiple attributeTypeAndValue pairs, re-order the Attribute ValuePairs in that RDN in ascending order when compared as octet strings (described in ITU-T Rec. X.690 (1997 E) Section 11.6 "Set-of components"). Finally, compare RDNs using the rules in IETF RFC 3280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) PRofile", Section 4.2.1.4 "Issuer". o x500Name-match This function shall take two arguments of "xacml:x500Name" and shall return an "xs:boolean". It shall return true if and only the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal. Anne Anderson -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692