Ah but it is on the directory side of things when we create the directory entry the 0.9.2342.19200300.100.1.1 = D01E473E000000F58FE3DDDC00000709 is a multi name attribute. I can either search for Russel F Weiser and get multiple entries for Russel F Weiser. Or if I formulation the LDAP search as 0.9.2342.19200300.100.1.1 = D01E473E000000F58FE3DDDC00000709+CN = Russel F Weiser I will get that exact entry only. I am just trying to understand what the discussion was about. Several years ago when I was looking at all this I tried to get CAs to create DNs that were Mutlivalued RDNs but none of the CAs would do this. So I just made the directory do it when we published the certificate into the directory. This allowed me to perform name uniqueness without searching the directory prior to signing a certificate. cheers RFW