[CC list trimmed to single list]
At 07:10 AM 3/2/2006, Keutel, Jochen wrote:
Hello,
both X.509 and draft-zeilenga-ldap-x509 define the matching rules
certificateExactMatch and certificateMatch. Questions:
1. Where is the string encoding for these matching rules defined?
Yes, draft-zeilenga-ldap-x509 (an approved Proposed Standard, an
RFC-to-be) specifies the LDAP string encoding of these matching
rules to be the GSER [RFC3641] encoding of the value.
I have seen that in OpenLDAP a string like
((userCertificate=1357$o=truetrust ltd,c=gb))
The old format used here should be considered deprecated in favor
of the standard GSER string encoding.
But I can't find a RFC/I-D which defines this string format.
As noted above, see draft-zeilenga-ldap-x509. As an example,
(userCertificate={ serialNumber 1357, issuer "o=truetrust ltd,c=gb" })
2. certificateMatch is defined in X.590 as
certificateMatch MATCHING-RULE ::= {
SYNTAX CertificateAssertion
ID id-mr-certificateMatch }
CertificateAssertion ::= SEQUENCE {
serialNumber [0] CertificateSerialNumber OPTIONAL,
issuer [1] Name OPTIONAL,
subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL,
authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL,
certificateValid [4] Time OPTIONAL,
privateKeyValid [5] GeneralizedTime OPTIONAL,
subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL,
keyUsage [7] KeyUsage OPTIONAL,
subjectAltName [8] AltNameType OPTIONAL,
policy [9] CertPolicySet OPTIONAL,
pathToName [10] Name OPTIONAL,
subject [11] Name OPTIONAL,
nameConstraints [12] NameConstraintsSyntax OPTIONAL
}
. Is it possible to use this matching rule in LDAP?
Yes, as specified in draft-zeilenga-ldap-x509.
Is there any product already supporting this matching rule?
I believe this matching rule to be fully implemented as
specified in draft-zeilenga-ldap-x509 in at least one
implementation.
(I note that I am not counting OpenLDAP's implementation as it
is flawed in the current release, an issue I am currently working
on addressing.)
(I note I do not name implementations that I believe fully
implement this specification as I prefer not to make specific
claims regarding products of others.)