Interfacing key archival CMC request to a non .net CA

From: Jean-Marc Desperrier (jmdesp_at_alussinan.org)
Date: 10/13/03 

Date: Mon, 13 Oct 2003 16:57:08 +0200

Hi,

I'm trying to interface xenroll generated CMC request including a
private archival option with a non .net CA.

Can you confirm that the ONLY method that can be used to import the
resulting certificate is to use a CMC full response including the
private key hash as an attribute, and that there's is NO way to use a
usual pkcs#7 response (even including the hash inside some extension) ?

Which certificates can sign a valid CMC answer ?
Can the CA delegate the right to sign this answer, if yes, to
certificates with which characteristics ?

The page :
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/kyacws03.asp
shows in appendix A a request that is supposed to include the encrypted key.
Careful analyse of the content shows none of the element displayed
appears to actually contain the encrypted private key. The closest match
"Encrypted Hash" is only the size of a RSA encryption, so can not
directly contain a full private key.

In fact, request generated from a pre-2003 client include an DES3-CBC
encrypted pkcs#7 in an extension, that can be deciphered with the
exchange certificate. Unfortunately the format of the decrypted private
key data is hard to understand.
It seems to consist of a content 20 byte header, and then the key
specific data.
Is it possible to get documentation on this format ?

The page documents the format of the request changes with a 2003 client,
does this means the private key information will not be stored in the
same place ? Do 2003 requests look more like a standard CMC/CRMF
requests or stay with an included PKCS#10 and a separate element used to
store the encrypted private key ?

In fact, the request that is shown on this page does not correspond to
what is documented on it. The document says otherMsgSequence will have a
hash of the encrypted private key, and the shown request has an empty
otherMsgSequence.

I expect that 2kSP5/XPSP2 will use the same format as the 2003 client,
is this right ?

Relevant Pages

  • Re: Client certificate private key prompt
    ... this when they need to make sure that no request every goes as anonymous. ... Upgrading the client to W2K3 will not solve the two prompt issue. ... the private key. ...
    (microsoft.public.dotnet.framework)
  • RE: SIMple SSL question ??
    ... The private key is not passed in the certificate request, ... so the attacker cannot decrypt incoming messages or sign outgoing ones. ... When IIS is used to create a certificate request, ...
    (microsoft.public.dotnet.security)
  • Re: Interfacing key archival CMC request to a non .net CA
    ... If xenroll is used to construct the CMC request and attach the encrypted ... private key blob sent to the server. ... If the request is wrapped inside another PKCS7 layer as part of a nested CMC ... The closest match> "Encrypted Hash" is only the size of a RSA encryption, so can not> directly contain a full private key. ...
    (microsoft.public.platformsdk.security)
  • Surprising threading issue
    ... connect to it about 100 times per request and so i use threads to ... private static DateTime lastHttpCallTime = DateTime.MinValue; ... lock (weeklyProcessorLocker) ... WebResponse response = null; ...
    (microsoft.public.dotnet.framework)
  • Re: Banned customer: John Duchi
    ... you never acknowledged that you DID receive a request ... anywhere in my request for the tracking number like you put ... first negative feedback instead of writing to me first. ... just because I happened to vent to you in a PRIVATE email ...
    (rec.games.pinball)