[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] certificateExactMatch and certificateMatch

To: "Keutel, Jochen" <mlists@keutel.de>
Subject: Re: [ldapext] certificateExactMatch and certificateMatch
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 02 Mar 2006 08:41:01 -0800
Cc: ldapext <ldapext@ietf.org>
In-reply-to: <44070AD4.7010308@keutel.de>
References: <44070AD4.7010308@keutel.de>

[CC list trimmed to single list]

At 07:10 AM 3/2/2006, Keutel, Jochen wrote:
>Hello,
>  both X.509 and draft-zeilenga-ldap-x509 define the matching rules
>certificateExactMatch and certificateMatch. Questions:
>
>1. Where is the string encoding for these matching rules defined?

Yes, draft-zeilenga-ldap-x509 (an approved Proposed Standard, an
RFC-to-be) specifies the LDAP string encoding of these matching
rules to be the GSER [RFC3641] encoding of the value.

>I have seen that in OpenLDAP a string like
>((userCertificate=1357$o=truetrust ltd,c=gb))

The old format used here should be considered deprecated in favor
of the standard GSER string encoding.

>But I can't find a RFC/I-D which defines this string format.

As noted above, see draft-zeilenga-ldap-x509.  As an example,
  (userCertificate={ serialNumber 1357, issuer "o=truetrust ltd,c=gb" })


>2. certificateMatch is defined in X.590 as
>
>certificateMatch MATCHING-RULE ::= {
>        SYNTAX  CertificateAssertion
>        ID                      id-mr-certificateMatch }
>CertificateAssertion ::= SEQUENCE {
>        serialNumber            [0]     CertificateSerialNumber OPTIONAL,
>        issuer                          [1]     Name                    OPTIONAL,
>        subjectKeyIdentifier    [2]     SubjectKeyIdentifier            OPTIONAL,
>        authorityKeyIdentifier  [3]     AuthorityKeyIdentifier  OPTIONAL,
>        certificateValid                [4]     Time                    OPTIONAL,
>        privateKeyValid         [5]     GeneralizedTime         OPTIONAL,
>        subjectPublicKeyAlgID   [6]     OBJECT IDENTIFIER               OPTIONAL,
>        keyUsage                        [7]     KeyUsage                OPTIONAL,
>        subjectAltName          [8]     AltNameType             OPTIONAL,
>        policy                          [9]     CertPolicySet           OPTIONAL,
>        pathToName              [10]    Name                    OPTIONAL,
>        subject                         [11]    Name                    OPTIONAL,
>        nameConstraints         [12]    NameConstraintsSyntax   OPTIONAL
> }
>
>. Is it possible to use this matching rule in LDAP?

Yes, as specified in draft-zeilenga-ldap-x509.

>Is there any product already supporting this matching rule?

I believe this matching rule to be fully implemented as
specified in draft-zeilenga-ldap-x509 in at least one
implementation.

(I note that I am not counting OpenLDAP's implementation as it
is flawed in the current release, an issue I am currently working
on addressing.)

(I note I do not name implementations that I believe fully
implement this specification as I prefer not to make specific
claims regarding products of others.)


>E.g. it should be possible to search for certificates with
>- keyUsage="keyEncipherment"
>or
>- subjectAltName "e-mail: aaa@bbb.cc"
>, right?
>
>How would be the string encoding for these 2 examples?

As I don't trust my built-in GSER encoder to provide correct
encodings except for the most basic ASN.1 types, I'll leave
this to others.

Kurt 


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] certificateExactMatch and certificateMatch
  - From: Steven Legg <steven.legg@eb2bcom.com>

References:
- [ldapext] certificateExactMatch and certificateMatch
  - From: "Keutel, Jochen" <mlists@keutel.de>

Prev by Date: [ldapext] certificateExactMatch and certificateMatch
Next by Date: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
Index(es):
- Chronological
- Thread