Tom,
Let me formalize the notation a bit. Perhaps it will help.
A distinguished name is enclosed in '{}', the contents of which is an
ordered list of elements separated by ';'. The elements of a
distinguished name are relative distinguished names (RDNs).
An RDN is enclosed in '()', the contents of which is a set of elements
separated by ','. The elements are unordered and are called attribute
value assertions (AVAs).
In a distinguished name, the RDNs are related to each other only with
respect to their order. The contents of each RDN are independent of
each other.
Within an RDN, the attributes must be unique. Or, to put it another
way, a particular attribute (for example, a country name, an
organization name, a common name, etc.) may appear at most one time in
an RDN and it may appear in multiple RDNs.
With that in mind:
Rose> { (c=US); (st=California); (o=DBC,l=Mountain View,l=Santa Clara)}
is illegal.
This is illegal as a distinguished name because the locality attribute
("l=") appears twice in the last RDN of the distinguished name.
>From a strict application of X.501 I can see that, but what about
{ (c=US); (st=California); (o=DBC); (l=Mountain View);
(l=Santa Clara)}
>From my reading of the X.500's this must be legal.
This is legal because within each RDN the attributes are distinct. The
localilty attribute is allowed to appear in more than one RDN. Does the
added notational conventions help to understand this?
And so should
{ (c=US); (st=Confusion); (o=DBC, cn=MTRose); (l=Santa Clara,
cn=Marshall)}
This is also legal, for the same reason, although the attribute that
apears twice is the common name attribute.
Does this help?
Jim