###@###.### 2004-06-02

The following methods should not be used:

  X509CertSelector.setSubject(String)
  X509CertSelector.setIssuer(String)
  X509CRLSelector.setIssuer(String)

The reason is that the RFC 2253 String DN form is not canonical, and
may not uniquely identify an encoded DN in the certificate that is
to be matched. This is because an RFC 2253 String representation of
a distinguished name can lose information of the encoded form, such that it
is not possible to convert it back to the exact encoded form as
before. For example, if a DN contains an AttributeValue that is not
of type PrintableString or UTF8String, the ASN.1 tags indicating
what type of String it is are not emitted in the RFC 2253 String, thus
it is not possible to accurately compare it against an encoded DN.

Users should use the corresponding overloaded methods that take
an X500Prinicpal or byte array, each of which preserve the full
information.

This was an oversight when the API was designed. It cannot be changed
now as it would affect backwards compatibility, but we can still advise
users to avoid these methods as there are legitimate workarounds.