[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[ldapext] certificateExactMatch and certificateMatch
- To: ldap@umich.edu, ldapext <ldapext@ietf.org>
- Subject: [ldapext] certificateExactMatch and certificateMatch
- From: "Keutel, Jochen" <mlists@keutel.de>
- Date: Thu, 02 Mar 2006 16:10:12 +0100
- Cc:
- User-agent: Thunderbird 1.5 (Windows/20051201)
Hello,
both X.509 and draft-zeilenga-ldap-x509 define the matching rules
certificateExactMatch and certificateMatch. Questions:
1. Where is the string encoding for these matching rules defined?
I have seen that in OpenLDAP a string like
((userCertificate=1357$o=truetrust ltd,c=gb))
works for certificateExactMatch; also RFC3876 (matched values only)
uses this string representation. But I can't find a RFC/I-D which
defines this string format.
2. certificateMatch is defined in X.590 as
certificateMatch MATCHING-RULE ::= {
SYNTAX CertificateAssertion
ID id-mr-certificateMatch }
CertificateAssertion ::= SEQUENCE {
serialNumber [0] CertificateSerialNumber OPTIONAL,
issuer [1] Name OPTIONAL,
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
certificateValid [4] Time OPTIONAL,
privateKeyValid [5] GeneralizedTime OPTIONAL,
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
keyUsage [7] KeyUsage OPTIONAL,
subjectAltName [8] AltNameType OPTIONAL,
policy [9] CertPolicySet OPTIONAL,
pathToName [10] Name OPTIONAL,
subject [11] Name OPTIONAL,
nameConstraints [12] NameConstraintsSyntax OPTIONAL
}
. Is it possible to use this matching rule in LDAP? Is there any product
already supporting this matching rule?
E.g. it should be possible to search for certificates with
- keyUsage="keyEncipherment"
or
- subjectAltName "e-mail: aaa@bbb.cc"
, right?
How would be the string encoding for these 2 examples?
Regards, Jochen.
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext