Hi there
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am missing sthing.
Before creating one from the RFC, I would like to be sure it does not exist somewhere I couldn't find.
Thanks in adv.
P
On 10/20/22 12:14, Pascal Jakobi wrote:
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am missing sthing.
AFAICS pmi.schema is indeed what you're looking for.
Note that RFC 5755 defines the X.509 certificate profile and not an LDAP schema.
BTW: I'm curious what you're doing because I never saw attribute certs widely used in practice.
Ciao, Michael.
Q:I'm curious what you're doing because I never saw attribute certs widely used in practice.
R:Years ago, we created an XACML server that is RBAC profile compliant : https://projects.ow2.org/view/authzforce/.
Question is : how do you represent roles, especially in a security-critical context such as the one I work in. For such a matter, attribute certs might be an answer : signature, delegation, etc. Also usable for security clearances, etc.
Feel free to ask if you need more info on this.
BTW. I will look again into pmi.[schema|ldif], but I could not find attribute certificates at first. It seems to me that it only provides the PMI (=Privilege Mgmt Infra., the equivalent of a PKI for id certs) schema.
Best,
P
On 20/10/2022 17:24, Michael Ströder wrote:
On 10/20/22 12:14, Pascal Jakobi wrote:
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am missing sthing.
AFAICS pmi.schema is indeed what you're looking for.
Note that RFC 5755 defines the X.509 certificate profile and not an LDAP schema.
BTW: I'm curious what you're doing because I never saw attribute certs widely used in practice.
Ciao, Michael.
Just as an aside, RFC5755 references X.509-2000, while the LDAP spec is based on the 1993 X.500 spec. Attribute Certificates didn't exist in the X.509-1993 spec. So it seems you'll need to write your own custom schema to support them.
Pascal Jakobi wrote:
Q:I'm curious what you're doing because I never saw attribute certs widely used in practice.
R:Years ago, we created an XACML server that is RBAC profile compliant : https://projects.ow2.org/view/authzforce/.
Question is : how do you represent roles, especially in a security-critical context such as the one I work in. For such a matter, attribute certs might be an answer : signature, delegation, etc. Also usable for security clearances, etc.
Feel free to ask if you need more info on this.
BTW. I will look again into pmi.[schema|ldif], but I could not find attribute certificates at first. It seems to me that it only provides the PMI (=Privilege Mgmt Infra., the equivalent of a PKI for id certs) schema.
Best,
P
On 20/10/2022 17:24, Michael Ströder wrote:
On 10/20/22 12:14, Pascal Jakobi wrote:
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am missing sthing.
AFAICS pmi.schema is indeed what you're looking for.
Note that RFC 5755 defines the X.509 certificate profile and not an LDAP schema.
BTW: I'm curious what you're doing because I never saw attribute certs widely used in practice.
Ciao, Michael.
On 10/20/22 19:05, Pascal Jakobi wrote:
R:Years ago, we created an XACML server that is RBAC profile compliant : https://projects.ow2.org/view/authzforce/.
Question is : how do you represent roles, especially in a security-critical context such as the one I work in. For such a matter, attribute certs might be an answer : signature, delegation, etc. Also usable for security clearances, etc.
I know the concept which was many moons ago driven by David Chadwick. But it never really took off and everybody's using other concepts nowadays.
BTW. I will look again into pmi.[schema|ldif], but I could not find attribute certificates at first.
I think it's aACertificate.
It seems to me that it only provides the PMI (=Privilege Mgmt Infra., the equivalent of a PKI for id certs) schema.
I have only vague memories about who submitted this schema file and why.
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Pascal Jakobi