Re: Required Root CAs and CTLs

From: Krish Shenoy[MSFT] (kshenoy_at_online.microsoft.com)
Date: 12/11/03

• Next message: Krish Shenoy[MSFT]: "Re: Ok is this the right group to post this question in?"
• Previous message: Krish Shenoy[MSFT]: "Re: Problem with CDP in Win2003 Certificate Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 10 Dec 2003 17:58:20 -0800

This feature is available in Windows 2003 through cross certification. In a
Windows 2003 domain group policy you have two choices for PKI
1) Enterprise trust
2) Enterprise trust and third party root certificates(default)
What you described is the first case

"Lars Olaussen" <Isolauss@hotmail.com> wrote in message
news:%23kko6H1rDHA.1744@TK2MSFTNGP12.phx.gbl...
> In the MS Knowledge Base Article 293781 there is a list of 'Trusted Root
> Certificates That Are Required By Windows 2000'.
>
> Would it be possible to just add these root CAs to a Certificate Trust
> List made by the own PKI implementeted? Then all the root CAs shipped
> with Windows could be removed, and only the own PKI and PKIs signed in
> CTLs would be accepted at domain workstations.
>
> The first goal would be to require all drivers, applications etc to be
> digitally signed. Then require all PKIs issuing these certificates to be
> approved by the own root CA; never again have to worry about rogue
> drivers and applications being signed by untrusted 'Trusted Root
> Certificate'.
>
>
> Regards,
> Lars Olaussen
> Isolauss@hotmail.com
>
>

---

• Next message: Krish Shenoy[MSFT]: "Re: Ok is this the right group to post this question in?"
• Previous message: Krish Shenoy[MSFT]: "Re: Problem with CDP in Win2003 Certificate Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [NT] Windows File Protection Arbitrary Certificate Chain Vulnerability ... Beyond Security would like to welcome Tiscali World Online ... Windows File Protection will trust any digital signature whose certificate ... chain is rooted at any one of the Trusted Root Certification Authorities. ... chains but also as valid Root CA's for code signing certificates. ... (Securiteam) Re: Required Root CAs and CTLs ... No, you cannot add those to a CTL, they must be left in their native form. ... > Would it be possible to just add these root CAs to a Certificate Trust ... > List made by the own PKI implementeted? ... Then require all PKIs issuing these certificates to be ... (microsoft.public.windows.server.security) Re: why do X.509 certificates contain context-specific tags? ... checked, some of the root ... I personally encountered certificates with a subject DN where some of ... committee-based development which tries to tackle complexity by throwing ... This can be opposed to much simpler PKI ... (sci.crypt) Re: Queries on PKI ... certificates of this CA by using a known CA such as verisign? ... Not a root CA, no. ... does windows 2003 support the ECDSA cryptographic standard? ... (microsoft.public.security) RE: Windows ME Update Error (0x80072F05) ... Thanks for the tip - had same problem in Win98SE. ... It is a problem with root ... clear you as a valid user, because your certificates appear out of date. ... > the bottom of the Windows Update.log in the windows directory. ... (microsoft.public.windowsupdate)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)