In the review discussion for the ldap schema for pkcs11 there was one
topic, which we wanted to get the opinion from a broader audience before
making a final decision.
In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE,
CKA_DERIVE, CKA_VERIFY and there are two suggestions how to represent
them in ldap.
1] one ldap attribute for each pkcs11 attribute.
This was my initial proposal to define a ldap attribute with boolean
syntax. Most attributes have default values and need not to be present
2] one ldap attribute with pkcs11 attributes as values
During the review Simo suggested to have a single attribute (or a few of
them, key,cert,...) and for each pkcs11 attribute with value true add it
as a value
Pros & Cons
pro 1] :
direct mapping of pkcs11attributes
required or allowed attributes are defined in an objectclass
huge number of schema attributes, which will probably not be needed
smaller schema definition
possible to add new attributes/flags without extending the schema
no input validation, application could set undefined flags
since presence of a flag means TRUE, and absence FALSE all default
true values need to be present
An other question was what should be the prefix for the ldap attribute
names, the initial proposal was ipapkcs11, which was considered too ipa
specific, so the next was pkcs11, where there are now concerns that this
might be too ambitious pretending this is somehow official pkcs11.
So there are proposals of p11,pk11,c11 which also are used already by
so any good ideas are welcome
Freeipa-devel mailing list