[Freeipa-devel] LDAP schema for PKCS#11

Derek Moore derek.p.moore at gmail.com
Wed Mar 5 15:25:44 UTC 2014


In your descriptions, can you translate all acronyms according to:

http://www.cryptsoft.com/pkcs11doc/v220/group__SEC__5__SYMBOLS__AND__ABBREVIATIONS.html
...and...
http://www.cryptsoft.com/pkcs11doc/v220/group__SEC__10__2__COMMON__ATTRIBUTES.html

E.g., instead of saying " pkcs11certificateCategory" is "represent
CKA_CERTIFICATE_CATEGORY", can you say, "Categorization of the certificate:
0 = unspecified (default value), 1 = token user, 2 = authority, 3 = other
entity" or whatever the translation of that enumeration might be in LDAP.

You have good descriptions throughout your spec, but don't put those
descriptions into your rfc2252 LDAP attribute definitions where they belong.

Also, how are you deciding on capitalization in all cases? E.g,
pkcs11uniqueid vs. pkcs11uniqueId vs. pkcs11uniqueID.

See #3.5, supposed to be pkcs11nsstrust (pkcs11nssTrust?), but it starts
with "(  <ipapkcs11OID>.2.5 NAME  'pkcs11certificate' ".


I guess the crux of my recommendation is: make your schema entirely
independent of the PKCS#11 standard. In other words, incorporate more of
the standard's language into your actual schema definition file, so that
users don't have to constantly compare and contrast against separate
documents. Removing or at least demoting PKCS#11 C library #define
artifacts.


Thanks,

Derek


On Mon, Mar 3, 2014 at 5:51 AM, Ludwig Krispenz <lkrispen at redhat.com> wrote:

> Hi,
>
> starting a new thread, after a lot of discussion and feedback, which I
> tried to integrate into thecurrent draft at:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/pkcs11Schema
>
> Here are some design decisions I made and which need to be finally decided.
>
> 1] Add nss trust objects.
> These are not defined in the PKCS#11 standard, but Jan said they will be
> needed and I added them to the spec
>
> 2] Certificate representation
> In pkcs11 there is a certificate category (user, authority, ..) and
> certificate value. An alternate way to represent this would be to use the
> schema defined in rfc4523 and map
> (user, value) --> (objectclass: pkiUser, usercertificate) and (authority,
> value) --> (objectclass: pkiCA, cAcertificate)
> I kept the attributes pkcs11certificateCategory and pkcs11certificateValue
> and let the applications decide which format will be used.
>
> 3] Key attributes
> Like certificates keys can be stored ina single attribute as pkcs8 or
> bind.key format. In pkcs11 the keys are defined by their algoritthm
> specific attributes, I had defined RSA specific attributes (moduleus,
> exponent, ....) and did not remove them. Maybe some app wants to create
> keys and store these attrs, having defined them does not force to use them,
> but allows flexibility without requiring new attribute definitions
>
> 4] Not needed attributes.
> Jan pointed out that some of the attributes like CKA_TOKEN will always be
> true, so no need to define them.
> I have not yet removed them, they don't nned to be used, but I can still
> remove them.
>
> 5] Attribute syntaxes
> I associated boolean attributes with the ldap boolean syntax, which
> requires TRUE/FALSE as values
> There are a couple of attributes with a limited range like key_type which
> has values like:  CKK_RSA, CKK_DSA, CKK_DH. There are defines for these
> values which translate them to integers, which could be used, but I propose
> to use a syntax of directoryString and use the values directly eg
> pkcs11keyType: CKK_RSA. To me this is more readable than pkcs11keyType: 0
> And it would have to be parsed anywy
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140305/00b185ec/attachment.htm>


More information about the Freeipa-devel mailing list