IETF Logo Mail Archive

Re: [ldapext] certificateExactMatch and certificateMatch

Steven Legg <steven.legg@eb2bcom.com> Fri, 03 March 2006 01:27 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEz4x-0006Wh-SD; Thu, 02 Mar 2006 20:27:35 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEz4v-0006Uk-PD for ldapext@ietf.org; Thu, 02 Mar 2006 20:27:33 -0500
Received: from eagle.unknowndns.net ([221.133.206.175]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FEz4u-0003tD-MN for ldapext@ietf.org; Thu, 02 Mar 2006 20:27:33 -0500
Received: from [203.206.165.210] (helo=[192.168.1.156]) by eagle.unknowndns.net with esmtpa (Exim 4.52) id 1FEz4h-00076H-3s; Fri, 03 Mar 2006 11:27:19 +1000
Message-ID: <44079B74.80200@eb2bcom.com>
Date: Fri, 03 Mar 2006 12:27:16 +1100
From: Steven Legg <steven.legg@eb2bcom.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050319
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Keutel, Jochen" <mlists@keutel.de>
Subject: Re: [ldapext] certificateExactMatch and certificateMatch
References: <44070AD4.7010308@keutel.de> <7.0.1.0.0.20060302082326.0222ac00@OpenLDAP.org>
In-Reply-To: <7.0.1.0.0.20060302082326.0222ac00@OpenLDAP.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - eagle.unknowndns.net
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - eb2bcom.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36b1f8810cb91289d885dc8ab4fc8172
Cc: ldapext <ldapext@ietf.org>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Errors-To: ldapext-bounces@ietf.org

Jochen,

Kurt D. Zeilenga wrote:
> [CC list trimmed to single list]
> 
> At 07:10 AM 3/2/2006, Keutel, Jochen wrote:
> 
>>Hello,
>> both X.509 and draft-zeilenga-ldap-x509 define the matching rules
>>certificateExactMatch and certificateMatch. Questions:
>>
>>1. Where is the string encoding for these matching rules defined?
> 
> 
> Yes, draft-zeilenga-ldap-x509 (an approved Proposed Standard, an
> RFC-to-be) specifies the LDAP string encoding of these matching
> rules to be the GSER [RFC3641] encoding of the value.
> 
> 
>>I have seen that in OpenLDAP a string like
>>((userCertificate=1357$o=truetrust ltd,c=gb))
> 
> 
> The old format used here should be considered deprecated in favor
> of the standard GSER string encoding.
> 
> 
>>But I can't find a RFC/I-D which defines this string format.
> 
> 
> As noted above, see draft-zeilenga-ldap-x509.  As an example,
>   (userCertificate={ serialNumber 1357, issuer "o=truetrust ltd,c=gb" })
> 
> 
> 
>>2. certificateMatch is defined in X.590 as
>>
>>certificateMatch MATCHING-RULE ::= {
>>       SYNTAX  CertificateAssertion
>>       ID                      id-mr-certificateMatch }
>>CertificateAssertion ::= SEQUENCE {
>>       serialNumber            [0]     CertificateSerialNumber OPTIONAL,
>>       issuer                          [1]     Name                    OPTIONAL,
>>       subjectKeyIdentifier    [2]     SubjectKeyIdentifier            OPTIONAL,
>>       authorityKeyIdentifier  [3]     AuthorityKeyIdentifier  OPTIONAL,
>>       certificateValid                [4]     Time                    OPTIONAL,
>>       privateKeyValid         [5]     GeneralizedTime         OPTIONAL,
>>       subjectPublicKeyAlgID   [6]     OBJECT IDENTIFIER               OPTIONAL,
>>       keyUsage                        [7]     KeyUsage                OPTIONAL,
>>       subjectAltName          [8]     AltNameType             OPTIONAL,
>>       policy                          [9]     CertPolicySet           OPTIONAL,
>>       pathToName              [10]    Name                    OPTIONAL,
>>       subject                         [11]    Name                    OPTIONAL,
>>       nameConstraints         [12]    NameConstraintsSyntax   OPTIONAL
>>}
>>
>>. Is it possible to use this matching rule in LDAP?
> 
> 
> Yes, as specified in draft-zeilenga-ldap-x509.
> 
> 
>>Is there any product already supporting this matching rule?
> 
> 
> I believe this matching rule to be fully implemented as
> specified in draft-zeilenga-ldap-x509 in at least one
> implementation.
> 
> (I note that I am not counting OpenLDAP's implementation as it
> is flawed in the current release, an issue I am currently working
> on addressing.)
> 
> (I note I do not name implementations that I believe fully
> implement this specification as I prefer not to make specific
> claims regarding products of others.)

But those others can make claims about their own products :-).
eB2Bcom's directory server supports the certificateMatch matching rule.
In our current release the certificateMatch matching rule expects
the LDAP assertion value to be BER encoded by default, but it is possible
to use the GSER encoding, as specified in draft-zeilenga-ldap-x509, by
attaching ";transfer-gser" to the attribute type in the extensibleMatch
filter item. Now that draft-zeilenga-ldap-x509 is approved we will be
changing the default encoding over to GSER in the next release.

> 
> 
> 
>>E.g. it should be possible to search for certificates with
>>- keyUsage="keyEncipherment"
>>or
>>- subjectAltName "e-mail: aaa@bbb.cc"
>>, right?
>>
>>How would be the string encoding for these 2 examples?

In the first case the LDAP assertion value would be:

    { keyUsage { keyEncipherment } }

Note that the subjectAltName field of CertificateAssertion only allows
searching for subject alt names of a particular kind. To find all
certificates with email addresses as subject alt names the assertion
value would be:

    { subjectAltName builtinNameForm:rfc822Name }

You can't use certificateMatch to search for particular subjectAltName
email addresses, but it is possible to use component matching (RFC 3687) to
do this. The LDAP extensibleMatch filter item would look something like this
(minus the line breaks):

    (userCertificate:componentFilterMatch:=item:{
        component "toBeSigned.extensions.*.extnValue.content.(2.5.29.17).*.rfc822Name",
        rule caseIgnoreIA5Match, value "aaa@bbb.cc" })

Our directory server supports this as well.

Regards,
Steven

> 
> 
> As I don't trust my built-in GSER encoder to provide correct
> encodings except for the most basic ASN.1 types, I'll leave
> this to others.
> 
> Kurt 
> 
> 
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext
> 
> 
> 

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

v2.23.0 | Report a Bug | By Email