Hello Sam, As I mentioned, there are two straightforward ways to implement the service matching rules syntax: - Glob patterns[0] - Regular expressions[1] Glob patterns are simpler to read/write by mere mortals but the Glib API does not implement "[...]" character ranges, only '*' and '?' and they cannot cannot be escaped. If we know 100% that '*' and '?' cannot be part of a service string then we are fine. The regular expressions API implements the Perl style regex syntax. I have the gut feeling that even though writing and reading regex patterns is generally harder for humans they are more powerful. Say you want a rule that specifies a matching rule just for email and jabber @domain.com, in the case of glob patterns this wouldn't be possible, you would have to create one rule per service as *@domain.com would be a too wide rule. In any case I will leave the decision up to you Sam. In another note I have a question with regards to the identity selection algorithm. I am not quite sure I understand the concept of identity constraint with regards to the algorithm itself. Is an identity constraint just the NAI or am I missing something? Thanks a lot, Alberto [0] http://developer.gnome.org/glib/2.28/glib-Glob-style-pattern-matching.html <http://developer.gnome.org/glib/2.28/glib-Glob-style-pattern-matching.html> [1] http://developer.gnome.org/glib/2.29/glib-Perl-compatible-regular-expressions.html