In the review discussion for the ldap schema for pkcs11 there was one
topic, which we wanted to get the opinion from a broader audience before
making a final decision.
In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE,
CKA_DERIVE, CKA_VERIFY and there are two suggestions how to represent
them in ldap.
1] one ldap attribute for each pkcs11 attribute.
This was my initial proposal to define a ldap attribute with boolean
syntax. Most attributes have default values and need not to be present
example:
pkcs11extractable: true
pkcs11derive: false
pkcs11verify: true
2] one ldap attribute with pkcs11 attributes as values
During the review Simo suggested to have a single attribute (or a few of
them, key,cert,...) and for each pkcs11 attribute with value true add it
as a value
example:
pkcs11keyFlags: CKA_EXTRACTABLE
pkcs11keyFlags: CKA_VERIFY
Pros & Cons
pro 1] :
*
direct mapping of pkcs11attributes
*
required or allowed attributes are defined in an objectclass
con 1]:
*
huge number of schema attributes, which will probably not be needed
pro 2]:
*
smaller schema definition
*
possible to add new attributes/flags without extending the schema
con 2]:
*
no input validation, application could set undefined flags
*
since presence of a flag means TRUE, and absence FALSE all default
true values need to be present
An other question was what should be the prefix for the ldap attribute
names, the initial proposal was ipapkcs11, which was considered too ipa
specific, so the next was pkcs11, where there are now concerns that this
might be too ambitious pretending this is somehow official pkcs11.
So there are proposals of p11,pk11,c11 which also are used already by
others (nss,p11-glue)
so any good ideas are welcome
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel