[Freeipa-devel] questions regarding ldap schema for pkcs11
Petr Spacek
pspacek at redhat.com
Fri Apr 4 11:19:35 UTC 2014
On 4.4.2014 10:20, Ludwig Krispenz wrote:
> In the review discussion for the ldap schema for pkcs11 there was one topic,
> which we wanted to get the opinion from a broader audience before making a
> final decision.
I'll add my opinion for the record:
> In pkcs11 there are many boolean attributes, like CKA_EXTRACTABLE, CKA_DERIVE,
> CKA_VERIFY and there are two suggestions how to represent them in ldap.
>
>
> 1] one ldap attribute for each pkcs11 attribute.
> This was my initial proposal to define a ldap attribute with boolean syntax.
> Most attributes have default values and need not to be present
>
> example:
> pkcs11extractable: true
> pkcs11derive: false
> pkcs11verify: true
>
> 2] one ldap attribute with pkcs11 attributes as values
> During the review Simo suggested to have a single attribute (or a few of them,
> key,cert,...) and for each pkcs11 attribute with value true add it as a value
>
> example:
> pkcs11keyFlags: CKA_EXTRACTABLE
> pkcs11keyFlags: CKA_VERIFY
>
>
> Pros & Cons
>
> pro 1] : one ldap attribute for each pkcs11 attribute.
> * direct mapping of pkcs11attributes
> * required or allowed attributes are defined in an objectclass
>
> con 1]:
> * huge number of schema attributes, which will probably not be needed
I don't think it is a problem. We have *huge* schema full of almost never-used
attributes. Look at printerAbstract objectClass ...
> pro 2]: one ldap attribute with pkcs11 attributes as values
> * smaller schema definition
IPA schema + all the RFCs created a huge pile of schema definitions already
and 389 can cope with it. (We are speaking about adding tens of attributes,
not hundreds or thousands!)
> * possible to add new attributes/flags without extending the schema
Schema change is a little problem in comparison with updating clients (to get
any value from the new flag). Note that we are talking about booleans defined
by PKCS#11 standard so we can't add any boolean anyway.
IMHO any IPA-specific booleans should go to a separate object class to
separate them from pure PKCS#11 schema.
> con 2]:
> * no input validation, application could set undefined flags
> * since presence of a flag means TRUE, and absence FALSE all default
> true values need to be present
To conclude it - I like approach [1]: One ldap attribute for each pkcs11
attribute.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list