On Tue, Feb 26, 2008 at 5:05 AM, Michael Ströder <michael@stroeder.com> wrote:
Tony Earnshaw wrote:
> Patrick Patterson skrev, on 25-02-2008 21:25:
>> I am working on a PKI project, and would like to be able to use
>> OpenLDAP, however, the certificate policy that we have to conform to
>> mandates that CA entries be a member of pkiCA and cpCps auxiliary
>> object classes. Now, the pkiCA requirement is easy, as it looks like
>> OpenLDAP supports that just fine, however, I'm wondering if cpCPS is
>> able to be supported.
>> I guess my question is twofold:
>> Have the syntax checking routines mandated for the cpCps object class

Strictly speaking an object class doesn't have any matching rules
assigned to it. You're probably talking about the related
attribute types and their matching rules.

>> (I presume out of ITU-T X.509 chapter 11) been implemented in
>> OpenLDAP,

Matching rule 'objectIdentifierFirstComponentMatch' for attribute
type 'certificatePolicy' seems to be implemented in OpenLDAP
2.4.x. Not sure about 2.3.x, check the subschema yourself.

>> and if so, does anyone happen to have a schema file
>> available so that I don't have to write one myself to add this
>> objectClass to OpenLDAP.

It's quite easy since you just have to take the declarations from

Ok - I had looked at this, but was confused by the lack of a specific certificatePolicyStmt attribute, which is in the X.509 spec, but not in that draft.

>> If not, is it possible to add these syntax checking routines in the
>> same way as one can extend the schema for object classes and attributes?

No, you can't simply add matching rules by configuration. You have
to implement them in C code.

That's what I figured - but I figured that I would ask anyways in case I missed something :)

>> (I know that I could probably cheat, turn schema checking off

No, you can't turn off schema checking anymore even though
OpenLDAP 2.3.x still accepts the configuration directive but
silently ignores it. 2.4.x does not accept this directive anymore.

Hmmm... was not aware of this.

> Not to put too fine a point on it (I have no need for this schema
> myself), but if I Google (just for the interest) on 'cpCps "object
> class" schema' it comes up with (i.a.)
> draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly
> what you're looking for for building your "own" schema.

It's worth looking at this *expired* draft, especially section
"14. Outstanding Issues". I'm not sure whether it's a good idea to
rely on this expired draft.

Unfortunately, these are rules that are brought down from the certificate policy that we have to implement, so that's why I'm even bothering with this. Frankly, the LDAP repository seems to me to be the wrong place to put CP and CPS information, when the certificatePolicy X.509 extension is quite happy to have an HTTP URI, and most people know how to follow one of those :)

If you want this I-D to make any progress it might be worth to
post a request on the ietf-pkix or ietf-ldapext mailing lists
since both authors and other skilled people are there. But don't
expect too much. This probably won't make any progress within the
time-frame of your project.

I'll bring this up to the policy management authority - they are the ones that will be most interested... I'm just stuck implementing this :)

Thanks again.

Personal Mail from Patrick Patterson
No company affiliation