<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta http-equiv="CONTENT-TYPE" content="text/html;
charset=ISO-8859-1">
<p style="margin-bottom: 0in">In the review discussion for the ldap
schema for pkcs11 there was one topic, which we wanted to get the
opinion from a broader audience before making a final decision.</p>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in">In pkcs11 there are many boolean
attributes, like CKA_EXTRACTABLE, CKA_DERIVE, CKA_VERIFY and there
are two suggestions how to represent them in ldap.</p>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in">1] one ldap attribute for each pkcs11
attribute. </p>
<p style="margin-bottom: 0in">This was my initial proposal to define
a ldap attribute with boolean syntax. Most attributes have default
values and need not to be present</p>
<p style="margin-bottom: 0in"> example:</p>
<p style="margin-bottom: 0in"> pkcs11extractable: true</p>
<p style="margin-bottom: 0in"> pkcs11derive: false</p>
<p style="margin-bottom: 0in"> pkcs11verify: true</p>
<p style="margin-bottom: 0in">2] one ldap attribute with pkcs11
attributes as values</p>
<p style="margin-bottom: 0in">During the review Simo suggested to
have a single attribute (or a few of them, key,cert,...) and for
each pkcs11
attribute with value true add it as a value</p>
<p style="margin-bottom: 0in"> example: </p>
<p style="margin-bottom: 0in"> pkcs11keyFlags: CKA_EXTRACTABLE</p>
<p style="margin-bottom: 0in"> pkcs11keyFlags: CKA_VERIFY</p>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in">Pros & Cons</p>
<p style="margin-bottom: 0in">pro 1] :</p>
<ul>
<li>
<p style="margin-bottom: 0in">direct mapping of pkcs11attributes</p>
</li>
<li>
<p style="margin-bottom: 0in">required or allowed attributes are
defined in an objectclass</p>
</li>
</ul>
<p style="margin-bottom: 0in">con 1]:</p>
<ul>
<li>
<p style="margin-bottom: 0in">huge number of schema attributes,
which will probably not be needed</p>
</li>
</ul>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in">pro 2]:</p>
<ul>
<li>
<p style="margin-bottom: 0in">smaller schema definition</p>
</li>
<li>
<p style="margin-bottom: 0in">possible to add new
attributes/flags without extending the schema </p>
</li>
</ul>
<p style="margin-bottom: 0in">con 2]: </p>
<ul>
<li>
<p style="margin-bottom: 0in">no input validation, application
could set undefined flags</p>
</li>
<li>
<p style="margin-bottom: 0in">since presence of a flag means
TRUE, and absence FALSE all default true values need to be
present</p>
</li>
</ul>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in">An other question was what should be
the prefix for the ldap attribute names, the initial proposal was
ipapkcs11, which was considered too ipa specific, so the next was
pkcs11, where there are now concerns that this might be too
ambitious
pretending this is somehow official pkcs11. </p>
<p style="margin-bottom: 0in">So there are proposals of p11,pk11,c11
which also are used already by others (nss,p11-glue) </p>
<p style="margin-bottom: 0in">so any good ideas are welcome</p>
<p style="margin-bottom: 0in"><br>
</p>
<p style="margin-bottom: 0in"><br>
</p>
<title></title>
<meta name="GENERATOR" content="LibreOffice 3.5 (Linux)">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</body>
</html>