|
Posted by Brian Komar \(MVP\) on March 24, 2008, 2:58 pm
Please log in for more thread options
Some answers inline...
> Dear All,
>
> For purpose of testing, I'm trying to setup two distinct 3-tier PKI
> hierarchies based on Win2003EE. When formed, they will be connected over
> Bridge CA in order to test interoperability (particulary constraints
> between
> domains). Considering that I have recently started to explore the world of
> PKI, I have few question regarding certificate policies and
> crosscertification:
> 1. What is the best practice for defining certificate policies for
> intermediate (Policy) CA? In "MS Windows Server 2003 PKI and Certificate
> Security" concrete issuance policy is defined, while in "Best Practices
> for
> Implementing a Microsoft Windows Server 2003 Public Key Infrastructure"
> defines All-Issuance Policy, leaving the definiton of policies(OIDs) on
> Issuing CA?
Typically, it is defined at the policy CA, not left as all issuance. You
would put in the policy OID(s) of the policies asserted for that policy CA
and all subordinate CAs.
> 2. In case I define certificate policy on intermediate CA, and while
> installing issuing CA leave the policy statement section in CAPolicy.inf
> blank, will it be issued with no certifacte policies or with some
> inherited
> policy? How will this impact the process of certificate chain validation
> (in
> respect to chapter 6 of RFC 3280)? What issuance policies end entities
> could
> contain?
No real need to put it in the issuing CA certificate. By being subordinate
to the policy CA where the OID is defined, it must follow those policies.
> 3. While issuing crosscertification certifacate, is there any difference
> between defining issuance policy in CrossCertification Authority
> certificate
> template and Policy.inf file? When crosscertifying with BridgeCA, is it
> better that this crosscertificate is issued by PolicyCA or IssuingCA?
It is defined in the Policy.inf file. With policy.inf you can define
mappings between their OIDs and your OIDs (which are needed to translate
between orgs).
I would issue the cross certificate from the issuing CA for the simple
reason that it publishes a more timely CRL if you wish to revoke the crossCA
cert. If issued by a policy CA that publishes CRLs every 6 months, the worst
case would result in a Cross Ca certificate that would be revoked but not
recognized for 6 months due to CRL caching
>
> Thanks in advance,
> Milan
| 
XML Sitemap