Steve,
I'm completely confused by your message about rules for comparing
DN equality in different contexts (signature, matching and
presentation) and the relevance to the PEM context. A DN is a
sequence of sets of AVA pairs. Each RDN is a set of AVA pairs.
Often an RDN will be a singleton set, so order is not an issue
here. Only when there are multiple AVAs in an RDN is order an
issue.
X.509 defines provides rules for a distinguished encoding of data
to be signed. Since a certificate is encoding of data to be
signed, in order to ensure canonical encoding for signature
generation and verification. Since a certificate is a signed data
object, the DER apply to it when signing or validating a
certificate.
Matching rules for searching in an X.500 DSA don't seem to be a
PEM issue, per se. Presentation transformations are defined in
1421 for PEM header elements, including DNs, and these describe
how equality matching is to be performed in the PEM context.
So, what's the question?
Steve