Issuance policies in CA certificates
Milan
For purpose of testing, I'm trying to setup two distinct 3-tier PKI
hierarchies based on Win2003EE. When formed, they will be connected over
Bridge CA in order to test interoperability (particulary constraints between
domains). Considering that I have recently started to explore the world of
PKI, I have few question regarding certificate policies and
crosscertification:
1. What is the best practice for defining certificate policies for
intermediate (Policy) CA? In "MS Windows Server 2003 PKI and Certificate
Security" concrete issuance policy is defined, while in "Best Practices for
Implementing a Microsoft Windows Server 2003 Public Key Infrastructure"
defines All-Issuance Policy, leaving the definiton of policies(OIDs) on
Issuing CA?
2. In case I define certificate policy on intermediate CA, and while
installing issuing CA leave the policy statement section in CAPolicy.inf
blank, will it be issued with no certifacte policies or with some inherited
policy? How will this impact the process of certificate chain validation (in
respect to chapter 6 of RFC 3280)? What issuance policies end entities could
contain?
3. While issuing crosscertification certifacate, is there any difference
between defining issuance policy in CrossCertification Authority certificate
template and Policy.inf file? When crosscertifying with BridgeCA, is it
better that this crosscertificate is issued by PolicyCA or IssuingCA?
Thanks in advance,
Milan
Brian Komar (MVP)
"Milan" <Mi...@discussions.microsoft.com> wrote in message
news:F6E5A1AA-BBB6-4FCD...@microsoft.com...
> Dear All,
>
> For purpose of testing, I'm trying to setup two distinct 3-tier PKI
> hierarchies based on Win2003EE. When formed, they will be connected over
> Bridge CA in order to test interoperability (particulary constraints
> between
> domains). Considering that I have recently started to explore the world of
> PKI, I have few question regarding certificate policies and
> crosscertification:
> 1. What is the best practice for defining certificate policies for
> intermediate (Policy) CA? In "MS Windows Server 2003 PKI and Certificate
> Security" concrete issuance policy is defined, while in "Best Practices
> for
> Implementing a Microsoft Windows Server 2003 Public Key Infrastructure"
> defines All-Issuance Policy, leaving the definiton of policies(OIDs) on
> Issuing CA?
Typically, it is defined at the policy CA, not left as all issuance. You
would put in the policy OID(s) of the policies asserted for that policy CA
and all subordinate CAs.
> 2. In case I define certificate policy on intermediate CA, and while
> installing issuing CA leave the policy statement section in CAPolicy.inf
> blank, will it be issued with no certifacte policies or with some
> inherited
> policy? How will this impact the process of certificate chain validation
> (in
> respect to chapter 6 of RFC 3280)? What issuance policies end entities
> could
> contain?
No real need to put it in the issuing CA certificate. By being subordinate
to the policy CA where the OID is defined, it must follow those policies.
> 3. While issuing crosscertification certifacate, is there any difference
> between defining issuance policy in CrossCertification Authority
> certificate
> template and Policy.inf file? When crosscertifying with BridgeCA, is it
> better that this crosscertificate is issued by PolicyCA or IssuingCA?
It is defined in the Policy.inf file. With policy.inf you can define
mappings between their OIDs and your OIDs (which are needed to translate
between orgs).
I would issue the cross certificate from the issuing CA for the simple
reason that it publishes a more timely CRL if you wish to revoke the crossCA
cert. If issued by a policy CA that publishes CRLs every 6 months, the worst
case would result in a Cross Ca certificate that would be revoked but not
recognized for 6 months due to CRL caching
>
> Thanks in advance,
> Milan