In the review discussion for the ldap schema for pkcs11 there was one topic, which we wanted to get the opinion from a broader audience before making a final decision.


In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE, CKA_DERIVE, CKA_VERIFY and there are two suggestions how to represent them in ldap.


1] one ldap attribute for each pkcs11 attribute.

This was my initial proposal to define a ldap attribute with boolean syntax. Most attributes have default values and need not to be present

example:

    pkcs11extractable: true

    pkcs11derive: false

    pkcs11verify: true

2] one ldap attribute with pkcs11 attributes as values

During the review Simo suggested to have a single attribute (or a few of them, key,cert,...) and for each pkcs11 attribute with value true add it as a value

example:

    pkcs11keyFlags: CKA_EXTRACTABLE

    pkcs11keyFlags: CKA_VERIFY


Pros & Cons

pro 1] :

 *

   direct mapping of pkcs11attributes

 *

   required or allowed attributes are defined in an objectclass

con 1]:

 *

   huge number of schema attributes, which will probably not be needed


pro 2]:

 *

   smaller schema definition

 *

   possible to add new attributes/flags without extending the schema

con 2]:

 *

   no input validation, application could set undefined flags

 *

   since presence of a flag means TRUE, and absence FALSE all default
   true values need to be present



An other question was what should be the prefix for the ldap attribute names, the initial proposal was ipapkcs11, which was considered too ipa specific, so the next was pkcs11, where there are now concerns that this might be too ambitious pretending this is somehow official pkcs11.

So there are proposals of p11,pk11,c11 which also are used already by others (nss,p11-glue)

so any good ideas are welcome



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to