D
Dean
I posted a similar question and no one can give me an explanation. I
have to ask the question again because I need to understand the LDAP
namespace used for CDRL and AIA distribution points for external
parties.
In "Best Practices for Implementing a Microsoft Windows Server2003
Public Key Infrastructure"(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx),
Microsoft says:
"Note that the LDAP path can expose internal namespace information if
the certificates will be exchanged with external parties. Change the
LDAP CRL distribution point to a permanent and publicly-available
distribution point if certificates are exchanged with external
parties."
Here is the example written by Microsoft in this document for internal
AD:
ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
Ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
My question is that what kind of "public' and "permanent" LDAP
namespace I could use for CRL and AIA distribution? If I want to
exchange my certificates with external parties, I surely don't want to
let them know my Active Directory information that is replaced by %6
token. What should I do? If someone has done such work, could you give
me an example of public LDAP namespace?
Thanks in advance,
Dean
have to ask the question again because I need to understand the LDAP
namespace used for CDRL and AIA distribution points for external
parties.
In "Best Practices for Implementing a Microsoft Windows Server2003
Public Key Infrastructure"(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx),
Microsoft says:
"Note that the LDAP path can expose internal namespace information if
the certificates will be exchanged with external parties. Change the
LDAP CRL distribution point to a permanent and publicly-available
distribution point if certificates are exchanged with external
parties."
Here is the example written by Microsoft in this document for internal
AD:
ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
Ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
My question is that what kind of "public' and "permanent" LDAP
namespace I could use for CRL and AIA distribution? If I want to
exchange my certificates with external parties, I surely don't want to
let them know my Active Directory information that is replaced by %6
token. What should I do? If someone has done such work, could you give
me an example of public LDAP namespace?
Thanks in advance,
Dean