Just as an aside, RFC5755 references X.509-2000, while the LDAP spec is based on the 1993 X.500 spec. Attribute Certificates didn't exist in the X.509-1993 spec. So it seems you'll need to write your own custom schema to support them.
Pascal Jakobi wrote: > Q:I'm curious what you're doing because I never saw attribute certs widely > used in practice. > > R:Years ago, we created an XACML server that is RBAC profile compliant : > https://projects.ow2.org/view/authzforce/. > > Question is : how do you represent roles, especially in a security-critical > context such as the one I work in. For such a matter, attribute certs might > be an > answer : signature, delegation, etc. Also usable for security clearances, etc. > > Feel free to ask if you need more info on this. > > > BTW. I will look again into pmi.[schema|ldif], but I could not find attribute > certificates at first. It seems to me that it only provides the PMI > (=Privilege > Mgmt Infra., the equivalent of a PKI for id certs) schema. > > Best, > > P > > On 20/10/2022 17:24, Michael Ströder wrote: >> On 10/20/22 12:14, Pascal Jakobi wrote: >>> I am looking for an RFC 5755 (attribute certificates profile) schema file. >>> >>> I thought it was in pmi.schema, but it appears that no, unless I am missing >>> sthing. >> >> AFAICS pmi.schema is indeed what you're looking for. >> >> Note that RFC 5755 defines the X.509 certificate profile and not an LDAP >> schema. >> >> BTW: I'm curious what you're doing because I never saw attribute certs >> widely used in practice. >> >> Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
