|
Posted by Marvin Sun on January 20, 2008, 1:43 pm
Please log in for more thread options Thanks Brian. It's very helpful to know.
Marvin
Brian Komar wrote:
> The lines indicate that the CA is issuing certificates based on the
> issuance policies defined in the CAPolicy.inf.
> A couple of things:
> 1) You are using the default MS OIDs for your forest (I would not
> recommend this for production, get your own org OID arc)
> 2) You can define any issuance policy, you are not required to just
> assert medium, low, high, etc.
> 3) Some org's will just reference their CPS' OID, and then in the CPS
> doc, state that they CPS supports multiple assurance levels (with each
> OID defined).
>
> Now strictly speaking, if you state in your CP that smart cards are high
> assurance, then this CA should not be issuing smart card certs, since it
> does not support high assurance certs. Can you do it? Of course. Would
> this cause troubles if you cross-certified? Yes, during an audit.
>
> Brian
>
>> This is probably a newbie question. I'm testing a PKI deployment, and
>> has been wondering what the purpose of specifying different Issuance
>> Policies in the CAPolicy.inf file.
>>
>> To illustrate my point, if I add the following strings into
>> CAPolicy.inf, what does it give me? e.g. Does this mean that this CA
>> is prohibited from issuing High Assurance level certificate such as
>> SmartCard User?
>>
>> ;[Capolicy]
>> [PolicyStatementExtension]
>> Policies = MediumAssurancePolicy, LowAssurancePolicy
>> CRITICAL = FALSE
>>
>> [MediumAssurancePolicy]
>> OID =
>> 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.401
>>
>> [LowAssurancePolicy]
>> OID =
>> 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.400
>>
>> Thanks in advance for your feedback.
>>
>> Yang
>
| 
XML Sitemap