[Freeipa-devel] questions regarding ldap schema for pkcs11

Ludwig Krispenz lkrispen at redhat.com
Fri Apr 4 08:20:14 UTC 2014

In the review discussion for the ldap schema for pkcs11 there was one 
topic, which we wanted to get the opinion from a broader audience before 
making a final decision.

In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE, 
CKA_DERIVE, CKA_VERIFY and there are two suggestions how to represent 
them in ldap.

1] one ldap attribute for each pkcs11 attribute.

This was my initial proposal to define a ldap attribute with boolean 
syntax. Most attributes have default values and need not to be present


     pkcs11extractable: true

     pkcs11derive: false

     pkcs11verify: true

2] one ldap attribute with pkcs11 attributes as values

During the review Simo suggested to have a single attribute (or a few of 
them, key,cert,...) and for each pkcs11 attribute with value true add it 
as a value


     pkcs11keyFlags: CKA_EXTRACTABLE

     pkcs11keyFlags: CKA_VERIFY

Pros & Cons

pro 1] :


    direct mapping of pkcs11attributes


    required or allowed attributes are defined in an objectclass

con 1]:


    huge number of schema attributes, which will probably not be needed

pro 2]:


    smaller schema definition


    possible to add new attributes/flags without extending the schema

con 2]:


    no input validation, application could set undefined flags


    since presence of a flag means TRUE, and absence FALSE all default
    true values need to be present

An other question was what should be the prefix for the ldap attribute 
names, the initial proposal was ipapkcs11, which was considered too ipa 
specific, so the next was pkcs11, where there are now concerns that this 
might be too ambitious pretending this is somehow official pkcs11.

So there are proposals of p11,pk11,c11 which also are used already by 
others (nss,p11-glue)

so any good ideas are welcome

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140404/a76878a3/attachment.htm>

More information about the Freeipa-devel mailing list