[Freeipa-devel] LDAP schema for PKCS#11
Stef Walter
swalter at redhat.com
Mon Mar 3 14:07:33 UTC 2014
On 03.03.2014 15:03, Jan Cholasta wrote:
>>> This link definitely should be somewhere in design docs.
>>>
>>>> BTW, there are some additional attributes defined in
>>>> /usr/include/nss3/pkcs11n.h besides these mentioned in the link above:
>>> And this too... Feel free to upload the file to wiki if you didn't find
>>> any on-line repo suitable for direct linking from design docs.
>>>
>>>> CKA_TRUST_IPSEC_END_SYSTEM
>>>> CKA_TRUST_IPSEC_TUNNEL
>>>> CKA_TRUST_IPSEC_USER
>>>> CKA_TRUST_TIME_STAMPING
>>>> CKA_TRUST_STEP_UP_APPROVED
>>>>
>>>> Can you please add them as well?
>>>>
>>>>>
>>>>> 2] Certificate representation
>>>>> In pkcs11 there is a certificate category (user, authority, ..) and
>>>>> certificate value. An alternate way to represent this would be to use
>>>>> the schema defined in rfc4523 and map
>>>>> (user, value) --> (objectclass: pkiUser, usercertificate) and
>>>>> (authority, value) --> (objectclass: pkiCA, cAcertificate)
>>>>> I kept the attributes pkcs11certificateCategory and
>>>>> pkcs11certificateValue and let the applications decide which format
>>>>> will
>>>>> be used.
>>>>
>>>> Applications talking to PKCS#11 do not need to be concerned with
>>>> this and
>>>> applications talking to LDAP will be only us.
>>> I would like to emphasis Rob's idea that this schema is IPA-specific for
>>> now but we should assume that other PKCS#11<->LDAP implementations can
>>> exist.
>>
>> And also NSS specific, given the storage of NSS trust.
>
> I think we can make that conditional, i.e. by using an environment
> variable or the reserved argument in C_Initialize (like NSS does).
>
> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
> objects from the module?
No. This is the spec for storing trust policy in PKCS#11 that we've been
working on:
http://p11-glue.freedesktop.org/doc/storing-trust-policy/
It's a far more extensible and future proof model. The p11-kit-trust
module stores/loads these sorts of objects, and additionally also
generates NSS trust objects on the fly so that NSS can consume the
information.
It doesn't do that last bit for third party sources, but it could given
code :)
Stef
More information about the Freeipa-devel
mailing list