Re: Issuance policies in CA certificates
- From: "Brian Komar \(MVP\)" <brian.komar.nospam@xxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Mar 2008 13:58:45 -0500
Some answers inline...
"Milan" <Milan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F6E5A1AA-BBB6-4FCD-AC7D-E890BA90BF53@xxxxxxxxxxxxxxxx
Dear All,
For purpose of testing, I'm trying to setup two distinct 3-tier PKI
hierarchies based on Win2003EE. When formed, they will be connected over
Bridge CA in order to test interoperability (particulary constraints between
domains). Considering that I have recently started to explore the world of
PKI, I have few question regarding certificate policies and
crosscertification:
1. What is the best practice for defining certificate policies for
intermediate (Policy) CA? In "MS Windows Server 2003 PKI and Certificate
Security" concrete issuance policy is defined, while in "Best Practices for
Implementing a Microsoft Windows Server 2003 Public Key Infrastructure"
defines All-Issuance Policy, leaving the definiton of policies(OIDs) on
Issuing CA?
Typically, it is defined at the policy CA, not left as all issuance. You would put in the policy OID(s) of the policies asserted for that policy CA and all subordinate CAs.
2. In case I define certificate policy on intermediate CA, and while
installing issuing CA leave the policy statement section in CAPolicy.inf
blank, will it be issued with no certifacte policies or with some inherited
policy? How will this impact the process of certificate chain validation (in
respect to chapter 6 of RFC 3280)? What issuance policies end entities could
contain?
No real need to put it in the issuing CA certificate. By being subordinate to the policy CA where the OID is defined, it must follow those policies.
3. While issuing crosscertification certifacate, is there any difference
between defining issuance policy in CrossCertification Authority certificate
template and Policy.inf file? When crosscertifying with BridgeCA, is it
better that this crosscertificate is issued by PolicyCA or IssuingCA?
It is defined in the Policy.inf file. With policy.inf you can define mappings between their OIDs and your OIDs (which are needed to translate between orgs).
I would issue the cross certificate from the issuing CA for the simple reason that it publishes a more timely CRL if you wish to revoke the crossCA cert. If issued by a policy CA that publishes CRLs every 6 months, the worst case would result in a Cross Ca certificate that would be revoked but not recognized for 6 months due to CRL caching
Thanks in advance,
Milan
.
- Prev by Date: Re: Default Domain Users group
- Next by Date: Re: Default Domain Users group
- Previous by thread: Re: Default Domain Users group
- Next by thread: Re: PKI - Single Offline Root for Multiple Forest
- Index(es):
Relevant Pages
|
