[ldapext] certificateExactMatch and certificateMatch

["Keutel, Jochen" <mlists@keutel.de>]

Hello,
  both X.509 and draft-zeilenga-ldap-x509 define the matching rules
certificateExactMatch and certificateMatch. Questions:

1. Where is the string encoding for these matching rules defined?

I have seen that in OpenLDAP a string like

((userCertificate=1357$o=truetrust ltd,c=gb))

works for certificateExactMatch; also RFC3876 (matched values only)
uses this string representation. But I can't find a RFC/I-D which
defines this string format.

2. certificateMatch is defined in X.590 as

certificateMatch MATCHING-RULE ::= {
	SYNTAX	CertificateAssertion
	ID			id-mr-certificateMatch }
CertificateAssertion ::= SEQUENCE {
	serialNumber		[0] 	CertificateSerialNumber	OPTIONAL,
	issuer				[1] 	Name 			OPTIONAL,
	subjectKeyIdentifier	[2] 	SubjectKeyIdentifier		OPTIONAL,
	authorityKeyIdentifier	[3] 	AuthorityKeyIdentifier 	OPTIONAL,
	certificateValid		[4] 	Time			OPTIONAL,
	privateKeyValid		[5] 	GeneralizedTime		OPTIONAL,
	subjectPublicKeyAlgID	[6] 	OBJECT IDENTIFIER		OPTIONAL,
	keyUsage			[7] 	KeyUsage		OPTIONAL,
	subjectAltName		[8] 	AltNameType		OPTIONAL,
	policy				[9]	CertPolicySet		OPTIONAL,
	pathToName		[10] 	Name			OPTIONAL,
	subject				[11]	Name			OPTIONAL,
	nameConstraints		[12]	NameConstraintsSyntax	OPTIONAL
 }

. Is it possible to use this matching rule in LDAP? Is there any product
already supporting this matching rule?

E.g. it should be possible to search for certificates with
- keyUsage="keyEncipherment"
or
- subjectAltName "e-mail: aaa@bbb.cc"
, right?

How would be the string encoding for these 2 examples?

Regards,  Jochen.


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext