Just as an aside, RFC5755 references X.509-2000, while the LDAP spec is based on the 1993 X.500 spec. Attribute Certificates didn't exist in the X.509-1993 spec. So it seems you'll need to write your own custom schema to support them.
Pascal Jakobi wrote:
Q:I'm curious what you're doing because I never saw attribute certs widely used in practice.
R:Years ago, we created an XACML server that is RBAC profile compliant : https://projects.ow2.org/view/authzforce/.
Question is : how do you represent roles, especially in a security-critical context such as the one I work in. For such a matter, attribute certs might be an answer : signature, delegation, etc. Also usable for security clearances, etc.
Feel free to ask if you need more info on this.
BTW. I will look again into pmi.[schema|ldif], but I could not find attribute certificates at first. It seems to me that it only provides the PMI (=Privilege Mgmt Infra., the equivalent of a PKI for id certs) schema.
Best,
P
On 20/10/2022 17:24, Michael Ströder wrote:
On 10/20/22 12:14, Pascal Jakobi wrote:
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am missing sthing.
AFAICS pmi.schema is indeed what you're looking for.
Note that RFC 5755 defines the X.509 certificate profile and not an LDAP schema.
BTW: I'm curious what you're doing because I never saw attribute certs widely used in practice.
Ciao, Michael.