CRL and AIA CDP in certificates exposes internal AD configuration information

  • Thread starter Thread starter Dean
  • Start date Start date
D

Dean

In "Best Practices for Implementing a Microsoft Windows Server2003
Public Key Infrastructure"(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx),

the scripts show us how to publish CA Certs and CRLs using HTTP and
LDAP path:

certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myhttp
PKIvroot%/%%3%%8%%9.crl\n10:ldap://%myLDAPserver%/CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttp
PKIvroot%/%%1_%%3%%4.crt\n2:ldap://%myLDAPserver%/CN=%%7,CN=AIA,
CN=Public Key Services,CN=Services,%%6%%11"

In LDAP path, the token %6 shows AD Configuration Container. If my AD
name space is "DC=company_name, DC=internal", instead of
"DC=company_name, DC=com", my private AD name space will be exposed to
the external parties if we issue the certificates to them.

According to the best practice recommendation in this document, we
should avoid to include internal organization name in the CRL. I
understand using only HTTP CDP can avoid this problem. My question is
that if I want to keep LDAP path for CDP in issued certificates, is
there any other way not to use "%6" token in CA AIA and CRL
publishing? Is it a serious problem?

Could Microsoft folks, especially David Cross, give me some
explanations here? I really appreciate it.

Thanks,

Dean
 
Note that the %6 replacement token typically starts with
"CN=Configuration,DC=..." It's certainly reasonable to replace the %6 with
any other valid, accessible sequence that could be resolved in your
environment.

I think we may have generally overstated the potential risk that customers
may or may not be exposed through an LDAP path in certificates. I think we
really wanted to note a potential decision point that each organization has
to evaluate based on risks, threats, etc.
 
David Cross said:
Note that the %6 replacement token typically starts with
"CN=Configuration,DC=..." It's certainly reasonable to replace the %6 with
any other valid, accessible sequence that could be resolved in your
environment.

I think we may have generally overstated the potential risk that customers
may or may not be exposed through an LDAP path in certificates. I think we
really wanted to note a potential decision point that each organization has
to evaluate based on risks, threats, etc.
Click to expand...

Thanks David. Your answer is very helpful. I really appreciate it.
Could you give me a simple example that shows a "valid, accessible
sequence that could be resolved in your environment" with LDAP URL.
That is what I am struggling with now.

If my private LDAP path looks "....CN=Configuration,DC=...", how can
it be resolved with anothe LDAP path by the public? Besides, if I find
a public accessiable LDAP path for my private AD, do I have to open
firewall ports to LDAP?

Thanks,

Dean
 
Back
Top