I am currently working on a project to deploy Windows 2003 PKI.
I will do my best to post to my BLOG things I take away from the planning
Or lack there of, implementation, and operations to show you how we are
going about establishing PKI infrastructure, and integrating both Microsoft
Technology, and third-party technology.
The biggest low hanging fruit Microsoft deployed their PKI for recently was
to support both VPN, and Wireless access to their networks.
Many people get hung up on trying to deploy PKI for E-mail, or Web sites and
get bogged down in organization politics. It is pretty easy to do.
Windows 2003 PKI has a couple pretty good features that address the Chronic
problems associated with PKI deployments for user certificates, and also
address some of the acute problems associated with certificates for
potential clients of PKI infrastructure.
Specifically:
Identity Management
Auto enrollment are now features of the OS, not Exchange.
Root CA's can now be Bridge for Bridge CA's so it is easier to create
relationships with outside entities and not have to rely on costly solutions
from the major vendors to give end users certs for signing and encryption.
There is still work to be done when it comes to presenting the path and
location the user is at with in the organization.
I believe by default Microsoft will put on the certificates the location
within the AD to find the PKI credentials Public keys. This works well for
internal operations of PKI, but Extranet, and Intranet use of the
credentials should not expose the organizational structure IMHO, and the
directory should be pretty flat. IE xyz.com Not
CN=userID,OU=AD,DC=xyz,DC=gov. More like = CN=UPN,DC=xyz,DC=gov. I have
not done that much research yet to determine the best way to accomplish
that.
Wireless VPN improvements
Provisioning PKI credentials for host that don't support or participate in
AD natively has been a challenge. Remember when I fired up Robbie at DEC.
That is because there is a need for better wireless security, and the
vendors are all trying to be innovative and come up with their own solution
to the problem and write RFC's etc, instead of just working together and
realizing that this solution is nothing more than strategic, and will not be
a revenue generator except to sell existing products. I believe Cisco and
Microsoft have been working together to make integration between CISCO
hardware and AD much better. I would like to believe it is because I told
Robbie I was unhappy. Hehe
Robbie, maybe you can fill in the list on what some of the initiatives are
at play in CISCO related to Windows 2003 PKI.
Delta CRL's This is a very important development because CRL's could take
time to publish through out the organization if it spanned multiple time
zones. When you want to stop someone from accessing your network once you
revoke their credentials, DCRL is the way to do it by software. I am sure
there are hardware solutions.
Hardware Improvements
I also believe the API's and the OS have better support for Security
hardware. I would love to be able to use memory stick technology to keep my
certs off my user profile, or better yet, export my user profile, and My
Documents to a USB device or smart media.
More to come.
Todd Myrick
-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED]
Sent: Saturday, October 25, 2003 2:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Certificate Services (was Active Directory Cookbo
ok)
Certificate Services didn't make it into the AD Cookbook, but will in a
future book. As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003. There were quite a few
enhancements to Cert Services in 2003. Here are a few links you may want to
take a look at (links may wrap)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Cookbook
Thanks. I can see I will have some reading to do this weekend.
Dan
Original Message
Subject: RE: [ActiveDir] Active Directory Cookbook
From: [EMAIL PROTECTED]
Date: Fri, October 24, 2003 12:57 pm
To: [EMAIL PROTECTED]
While not a cookbook per se, I have found this link useful in my
understanding of PKI:
http://tinyurl.com/s8y1
HTH
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about