Brian's Security Blog: June 2005 Archives

« April 2005 | Main | February 2007 »

June 06, 2005

Tuesday's Cabana Session

Just wanted to update everyone that David Cross will not be arriving until Wednesday, so Darren Canavor from Microsoft is stepping in to assist me with the PKI Deployment
Cabana session. The time remains the same, 3:15 to 4:30 pm, in Track Cabana 16. We will be giving away one signed copy of my PKI book "Microsoft® Windows Server? 2003 PKI and Certificate Security" for the person with the best question .

See you tomorrow!
Brian

Posted by at 05:04 PM | Comments (1)

June 03, 2005

Tech Ed in Orlando - Update on Sessions

Hi everyone,

Sorry for the delays in posting the last month, it has been hectic!

I just want to update everyone on my break-out and cabana sessions at Tech Ed.

Break-out Sessions
I am delivering one break-out session, SEC: 400 Managing a Smart Card Deployment at Tech Ed on Wednesday June8, 2005 from 3:45 - 5:00 PM in S200D. This session will discuss managing and planning a smart card deployment for your organization and will include details on current engagements that I am performing for MCS that deal with smart card deployments. If you are looking for additional documentation for your smart card deployment, take a look at these two excellent resources:
- FIPS PUB 201: Personal Identity Verification (PIV) of Federal Employees and Contractors (http://www.csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf). This document's goal is to "improve the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems". It provides some great examples of how to validate the identity of a smart card requester before issuing a smart card to that person.
- X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) (http://www.cio.gov/fpkipa/documents/fbca_cp_09-10-02.pdf). This document is a great resource for guidelines for deploying a Certification Authority that will be trusted by external resources. When looking for smart card resources within the documentation, focus on the discussions on the five assurance levels: rudimentary, basic, medium, high, and test. The document provides descriptions of the types of transactions relevant to each assurance level, the documentation required to validate a requester's identity, and what is required at certificate renewal.

Cabana Sessions
Cabana sessions are probably my favorite part of Tech Ed, as the content is driven by you, the attendees. A Cabana session takes place in a small section of the convention hall, where speakers and experts can field question on the subject of the Cabana from the audience. At last year's show, Paul Adare (www.identit.ca/blogs/paul), extensively used the white board to answers the questions from the audience. I do not think anyone left disappointed. At this year's show, I will be taking part in two Cabana sessions:

- Q&A: PKI Deployment.
This session takes place in Track Cabana 16 on Tuesday June 6th, 2005 from 3:15 to 4:30 pm
This session will be co-hosted by David Cross, Microsoft's PKI Group Program Manager and myself. David and I have written several white papers together and he was a great source of information and assistance for my PKI book "Microsoft® Windows Server? 2003 PKI and Certificate Security" (http://www.microsoft.com/MSPress/books/6745.asp#AboutTheBook). David was the major contributor (say 90%) from the Microsoft PKI Team! .

- Q&A: Smart card Deployment.
This session takes place in Track Cabana 16 on Thursday June 8th, 2005 from 1:30 to 2:45 pm
This session will be co- hosted by Paul Adare, IdentIT Inc.'s CTO and myself. Paul and I have been involved in several smart card deployments over the last year and have lots of behind-the-scenes information for the attendees of the session.

See you at the show!
Brian

Posted by at 07:04 AM | Comments (0)

Common Questions about Certificate Templates

In the Windows Server 2003 PKI, there are two different types of certificate templates that you can work with. Version 1 certificate templates are certificate templates that also existed in the Windows 2000 PKI and can only have their permissions modified. You cannot change the content of the certificate (the format of the subject, the lifetime of the certificate, the uses of the certificate, etc.). You can, however, duplicate these version 1 templates, creating what is known as a version 2 certificate template. A version 2 certificate template allows you to modify the content and the permissions of the certificate template. It is impossible to create a version 2 certificate template from scratch. You must duplicate an existing version 1 or version 2 certificate template, so choose a certificate template that is close to the functionality that you require.

A version 2 certificate template can only be issued by an enterprise CA running on Windows Server 2003, Enterprise Edition. The most common mistake that I see is that the customer is trying to issue the version 2 certificate templates by an enterprise CA running Windows Server 2003, Standard Edition. The Standard Edition server is hard-coded to *not* issue version 2 certificate templates.

In addition, Windows Server 2003, Standard Edition should not be confused with a Windows Server 2003 standalone CA. A standalone CA, whether it is running on Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition does not use certificate templates at all when it issues certificates. Instead, the certificate content is based entirely on the information provided in the certificate request.

You can perform the editing of certificate template from any Windows XP or Windows Server 2003 domain member computer, as long as you are logged in as a user that is assigned the Read and Write permissions for the specific template. To create new templates, you must be assigned Full Control permission to the CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container and the CN=OID, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container.

Finally, when you attempt to enroll the version 2 certificate template, there are some restrictions on how you enroll them:
- Only users at Windows XP and Windows Server 2003 computers can enroll certificates based on version 2 certificate templates using the Certificate Request Wizard (from the Certificates MMC).
- Users with Windows 2000, Windows XP, and Windows Server 2003 client computers can enroll version 2 certificate templates using the Certificate Enrollment Web Pages
- All client operating systems (Windows 98 and higher) can enroll certificates based on version 2 certificate templates by using scripting.

HTH,
Brian

Posted by at 06:38 AM | Comments (1)