Re: PKI in multi sites/domains environment

Sorry, not a lot of time to respond this evening (writing the 2nd edition of my PKI book :-S)

"BZP" <p.audonnet@xxxxxxxxx> wrote in message news:3d50de26-c005-4db1-aae6-c7f53791c759@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks !

As regards the isolation process (Americas users use only Americas
CA), ok for the first way, via persmissions. But I'm wondering
something, it prevents users from getting certificates from a
delocalized CA but it doesn't prevent users contacting the bad CA
(does it?). For exemple, when a user need a certificate for encrypting
his files. An automatic process will ask to a CA for a EFS
certificates. And if the process use the bad CA, it rolls back to an
other CA ? (Am I clear ?) or the process will use only CA where
permissions are ok (how can it check this without contacting the CA ?
permission are published in AD ? configuration context ?)

It may send responses to each CA, but only stops when it receives a certificate from a CA. Not really a roll back, but similar


That's a great link (microsoft.com/pki) ! Thanks for this.

No problem

And what about X500 name constraints ? This function can be achieved
by constraint extensions ? For exemple I configure a CA with
constraint : issuing certificated only if subject CN match with
"*,DC=AMERICAS,DC=LOCAL". Will this serve ?

This is another way, but could lead to a lot of configuration headaches. I would not recommend it, even though I wrote the whitepaper.

For the point 3, you want to say that CA certificates are published in
AD ? Is there a AD store like there is a User store in a computer ?
How does it work ?

Not quite. The certificates are published to the Configuration naming context. The autoenrollment process ensures that these are plumbed to the AD clients running win2k or higher


I can't get what the purpose of the Issuance Policies (Low, Medium,
High). What is the interest ?


See RFC 3647 and look for assurance levels. this is a rudimentary implementation and most companies do custom assurance levels.

Thanks.

Regards,

--
P.J.A.

.

Relevant Pages

  • Re: Recovery Agent configured in GPO, but cannot see it in Encrypt
    ... EFS enabled, both certificates as RA defined. ... Group Policy settings can be forced to refresh ... because of domain Group Policy configuration you may have a problem with DNS ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Installing root certificate on PDA
    ... certificate in order to allow synchronization with SBS via internet. ... option in the "Web Services Configuration" page, ... During the Set Up Computer Wizard, the option to install ActiveSync ... 841060 How to add root certificates to Windows Mobile 2003 Smartphone and to ...
    (microsoft.public.windows.server.sbs)
  • Autoenrollment Error Logged on Second W2K3 SP1 Domain Controller
    ... certificates from an Enterprise Root CA, which is located in a single ... Windows Server 2003 domain. ... Source: AutoEnrollment ... The Certificate Authority is installed with the default configuration and ...
    (microsoft.public.windows.server.active_directory)
  • Only show "identify" certificates.
    ... Need help with possibly IIS configuration. ... As you know there are usually multiple client certificates on a DoD CAC ...
    (microsoft.public.inetserver.iis.security)
  • Only show Identity certificates
    ... Need help with possibly IIS configuration. ... As you know there are usually multiple client certificates on a DoD CAC ...
    (microsoft.public.inetserver.iis.security)