In the review discussion for the ldap schema for pkcs11 there was one topic, which we wanted to get the opinion from a broader audience before making a final decision.

In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE, CKA_DERIVE, CKA_VERIFY and there are two suggestions how to represent them in ldap.

1] one ldap attribute for each pkcs11 attribute.

This was my initial proposal to define a ldap attribute with boolean syntax. Most attributes have default values and need not to be present


    pkcs11extractable: true

    pkcs11derive: false

    pkcs11verify: true

2] one ldap attribute with pkcs11 attributes as values

During the review Simo suggested to have a single attribute (or a few of them, key,cert,...) and for each pkcs11 attribute with value true add it as a value


    pkcs11keyFlags: CKA_EXTRACTABLE

    pkcs11keyFlags: CKA_VERIFY

Pros & Cons

pro 1] :


   direct mapping of pkcs11attributes


   required or allowed attributes are defined in an objectclass

con 1]:


   huge number of schema attributes, which will probably not be needed

pro 2]:


   smaller schema definition


   possible to add new attributes/flags without extending the schema

con 2]:


   no input validation, application could set undefined flags


   since presence of a flag means TRUE, and absence FALSE all default
   true values need to be present

An other question was what should be the prefix for the ldap attribute names, the initial proposal was ipapkcs11, which was considered too ipa specific, so the next was pkcs11, where there are now concerns that this might be too ambitious pretending this is somehow official pkcs11.

So there are proposals of p11,pk11,c11 which also are used already by others (nss,p11-glue)

so any good ideas are welcome

Freeipa-devel mailing list

Reply via email to