Currently, the jglobus signing_policy checking is case sensitive while the C
signing_policy checking is case insensitive. In the C code,
globus_i_gsi_cert_utils_dn_cmp() calls strcasecmp(), i.e., string comparison
ignoring case.

David Groep explains:
> Actually: almost all attributes you would legitimately encounter
> in a DN are subtypes of attributeType 'name', which has
>   EQUALITY MATCHING RULE caseIgnoreMatch
>   SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
> as its definition in X.520.
> So, even when transliterated into a plain string representation (as in the
> "/"-separated or ","-separated formats) the comparison ought to be
> case-INsensitive.
> 
> There is only one caveat: caseIgnoreMatch can only be done if the
> original encoding of the attribute value is PrintableString or IA5STring.
> There is no defined algorithm to do a caseIgnoreMatch for UTF8 strings.
> So, if the original encoding of the attribute in the certificate was
> UTF8String, the matching ought to be exact. Alas: once transliterated
> into the "/" or "," string representation, the knowledge of the original
> attribute encoding is lost forever :-((
> Which is why one SHOULD have done matching on the original ASN.1 structure
> of the DN ...
> 
> For the time being: you're likely fine doing case-insensitive matching
> unless
> the content of the DN is obviously UTF8  :-)

Here's a patch to bring jglobus in line with the C signing_policy code:

diff -u -r1.4 SigningPolicyParser.java
--- src/org/globus/gsi/SigningPolicyParser.java    10 Apr 2008 00:20:32 -0000  
 1.4
+++ src/org/globus/gsi/SigningPolicyParser.java    9 Feb 2009 16:47:03 -0000
@@ -526,7 +526,7 @@

         logger.debug("String with replaced pattern is " + patternStr);

-        return Pattern.compile(patternStr);
+        return Pattern.compile(patternStr, Pattern.CASE_INSENSITIVE);
     }

     // find first space or tab as separator.