Help Microsoft define the next Windows Certificate Server

[rusga]

Vanguardx,

Maybe MS applied SP4 on their servers and MS nntp service (that ships as
part of IIS on Win2ks) was gone (puff) like mine (and my organization's)
when I applied the same SP... The reason for this, as MS stated in their
site, was that it was a beta release, and so, not needed! (using some
other fancy words).

Needless to say that most of the organization's workflow (the droped one)
was using MS nntp service until that SP was applied.

Also needless to say is that it was not stated in the software
installation procedure that it was a beta release appart from that usual
EULA that states "... bla bla this software *AS IS*" (pls note: not *AS
WAS*!) before one opens the product.

I still don't know quite well how to face this since I still apply SPs and
patches on a stated "finished product release".

Maybe SP5 (if ever) will wipe out the entire win2ks?

Regards,
rusga

PS: All legal and contractual MS software and SP cds.

 

[rusga]

.... Am I blue? Not quite. There are many colors in the rainbow. Red is one.

Regards,
rusga

 

[Fei Chua]

Hi, I am a Program Manager with the Microsoft PKI team focusing on the
next generation Certificate Server. Our team is currently working on
the next version of the Microsoft Certification Server to be shipped
with the next Windows Server release. We are in the process of
defining Certificate Server's manageability features and we would
welcome your input and feedback. We want to get first hand input from
PKI customers like you to help define our manageability feature set.
Specifically, these are the 4 areas we would appreciate input on:

Performance Counters (new to Certificate Server): What perfmon
counters would you like to monitor in your environment if they were
available?
Event Logging: What new events would you like to see added?
Security Audit: What did we miss in our current audit log?
Run time trace log (enabled with "certutil –setreg –f debug" or
"certutil –setreg ca\debug 0xffffffe3"): Have you used this feature?
Is it helpful? Do you need additional level of tracing capability?

We'd appreciate any feature requests, feedback or input in the above 4
topic areas. Preferably we'd you to include one scenario for each
feature requested to help us understand how a particular feature could
be useful in what situation. Please send your list of features request
to (e-mail address removed). Note: you will need to remove
the "nospamplease." from the e-mail address before sending. We promise
to look at every single request we receive and prioritize accordingly
based on the scenarios you provide. I cannot promise an individual
response to everyone, but I will acknowledge your submission and make
best efforts to respond with feedback and questions if appropriate.
Feel free to forward this message to other PKI users/admins as
appropriate.

Thanks for your time and I look forward to all your feedback. We are
committed to deliver the best feature set based on you needs.


Fei Chua

Program Manager, Windows Certificate Server

 

[Vanguardx]

Hi, I am a Program Manager with the Microsoft PKI team focusing on the

... Please send your list of features request
to (e-mail address removed). Note: you will need to remove
the "nospamplease." from the e-mail address before sending. ...

<snip>

One, why would a Microsoft employee that is submitting a post related to
their employment be posting through Google Groups (as shown in the PATH
header) rather than through Microsoft's own NNTP server?

Two, Microsoft doesn't provide sufficient spam filtering to allow you to
use an unmunged e-mail address? Doesn't bode well for Microsoft if even
they can't figure out how to filter out the spam.

Three, why would a Microsoft employee be specifying a Hotmail e-mail
address in the From header of their post? You post with an unmunged
Hotmail e-mail address but want replies sent to a munged microsoft.com
e-mail address.

Four, the NNTP-Posting-Host shows you sent your post from a cable
account at Comcast (24.17.196.233 = c-24-17-196-233.client.comcast.net).
Microsoft has suddenly required their employees to make public
announcements from their home cable accounts?

So we have someone claiming to be a Microsoft representative who posts
through Google (instead of using Microsoft's own news server) from a
Comcast cable account who used a Hotmail account to register for a
Google Groups account and wants replies sent to a munged e-mail address
at Microsoft because they must not be capable of handling the spam and
virally-ladden e-mails that might arrive due to posting in newsgroups.

 

[Roch Viviene]

his name apear to be valid, but his adress ....


don't bother!

 

[Mike Brannigan [MSFT]]

All,

Fei is a Program Manager in the PKI team and all the information in the
e-mail is correct.
It is possible that Fei is out of the office and cannot use his corporate
accounts, hence his use of hotmail and another posting service, but the
message content and sender are all genuine.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Steve]

And how do we know that you're not 78 year old retired Finnish meteorologist
living in Helsinki?

Steve

 

[David Cross [MS]]

Fei is in my team and I am his manager. Microosft employees can interact
with the newsgroups any number of ways. I happen to use the NNTP server,
others prefer to use Google or our other internal web tools. The fact is,
spammers harvest e-mail addresses from newsgroups and spam blocking software
and capabilities, although very strong and capable in Microsoft products,
still do not prevent the load from actual hitting our servers which must be
rejected.

If anyone has any question regarding the validity of his post, please feel
free to contact me. I am sure my history on these newsgroups will vouch for
itself.

--


David B. Cross [MS]

 

[Mike Brannigan [MSFT]]

And how do we know that you're not 78 year old retired Finnish
meteorologist
living in Helsinki?

Steve

Well,

Look at some of the data in the header on MY post

Firstly I'm posting using Outlook Express so you get a real header.
Now look at my posting host. NNTP-Posting-Host: tide71.microsoft.com
213.199.128.147
If you do a reverse lookup
http://www.checkdomain.com/cgi-bin/checkdomain.pl?domain=213.199.128.147
you will see that I am posting directly to one of our newshosts inside the
Microsoft corporate network in the Dublin datacenter.

You could also look at the TechNet chats that I have been involved in as a
subject matter expert on Windows Server 2003/Active Directory/Group
Policy/Windows XP etc.
http://www.microsoft.com/technet/community/chats/trans/default.mspx
I was involved in one last night (the transcript will be up in a couple of
days) on Group Policy
I will also be on the one today
http://www.microsoft.com/technet/community/chats/default.mspx
and again on Friday - feel free to drop by and post any relevant questions.

I think that just about covers off the "who am I" bit.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Roch Viviene]

what a feedback....


maybe Vanguardx make a joke and you need to take it as is

 

[Roch Viviene]

sugestion: every user in this newsgroups could be authentificated with a
certificate, or only who wants to. with this everyone who wants could show
his real identity, and could be verified.

if is possible?

 

[Vanguardx]

sugestion: every user in this newsgroups could be authentificated
with a certificate, or only who wants to. with this everyone who
wants could show his real identity, and could be verified.

if is possible?

Yes, you can digitally sign your posts. Unfortunately Outlook Express
doesn't know how to properly handle PGP digital signatures and shows the
PGP hash data inside the message body instead of as an attachment. I've
even seen where PGP-signed messages show as a blank body and the message
is in a .txt attachment (i.e., OE moved all the body into an attachment
instead of just the MIME parts for the digital signature). Presumably
(i.e., hopefully) OE knows how to handle x.509 certs correctly since
that's the only type of certs it really knows how to handle.

There's a "Sam" that posts in comp.mail.misc that always PGP digitally
signs his posts, you end up seeing a blank body for his post, and you
have to open the .txt attachment to see what he said. OE doesn't obey
the "Content-Disposition: inline" directive, when specified or implied
(since "attach" should be the default behavior) when "Content-Type:
application/pgp-signature". In other words, OE has problems with
MIME-signed messages when PGP is used
(ftp://ftp.rfc-editor.org/in-notes/rfc3156.txt), so instead of showing
those MIME parts with disposition "inline" it instead isolates them as
attachments. For example, the raw data for a message (bracketed below
between the underscore lines) might be:

________________________________________
<other headers>
Mime-Version: 1.0
Content-Type: multipart/signed;
boundary="=_mimegpg-commodore.email-scan.com-3514-1096456268-0002";
micalg=pgp-sha1; protocol="application/pgp-signature"
<otherheaders>

This is a MIME GnuPG-signed message. If you see this text, it means
that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-commodore.email-scan.com-3514-1096456268-0002
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

This is the message that you are supposed to see within the

view
window of your NNTP client.

--=_mimegpg-commodore.email-scan.com-3514-1096456268-0002
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBWphMx9p3GYHlUOIRAgqGAJ9GyGI+qo0M22QtGIgnNmBQPGJFFgCfddZq
9teEz4KYNF42URLnAtudl7s=
=cOZh
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-3514-1096456268-0002--
________________________________________

The disposition of "inline" should have showed the message body within
your client's view window.  The default disposition is "attach" so the
other MIME part (for the PGP signature) should have been displayed as an
attachment in your client.  I've seen OE screw up in two different ways.
One has OE treating it all as disposition=attach (i.e., ignores the MIME
part with disposition=inline) and you have to read the message as a .txt
attachment.  The other is with OE showing it all in the body of the
message, so you have to wade past the first non-MIME part, see the
disposition=inline part (which is the message), and then wade past the
PGP signature part (which should've been an attachment).  Even Outlook
has problems regarding inline content
(http://support.microsoft.com/?id=814111).

I haven't seen many folks signing their newsgroup posts.  Sam was an
example of how PGP does it (as Sam has configured it), and OE doesn't
correctly handle PGP-signed messages.  I don't have an example of
someone posting with x.509-signed messages to see how OE handles those
or what MIME coding is used for those.  If signing gets more prevalent
to identify posters then it would also be nice if OE got fixed to handle
them correctly.  I, for one, don't want all the PGP signature "trash"
mixed in with the message.

The other problem with digital signatures is that they don't always
identify the sender.  If you use Thawte freemail certs, you are never
identified except by your e-mail address (which could be a disposable
freebie webmail address or even an e-mail alias).  Unless you bother to
go through their Web-o-trust mechanism to get more information put into
your Thawte cert then it is really a bogus cert.  About the only thing a
Thawte cert is good for is to encrypt your message sent to someone that
already knows you (i.e., to them you are a trusted sender).  The digital
"signature" in a Thawte cert is worthless.  Anyone can get one and never
really identify who they are.

 

[Vanguardx]

what a feedback....


maybe Vanguardx make a joke and you need to take it as is

Not a joke. I felt it was suspicious that Fei was posting through
Google Groups that got registered using a Hotmail account but wanted
e-mails to go to the Microsoft domain but his post was made when he was
using Comcast account.

As far as Steve's comment regarding the validity of Mike, well, Mike
already popped my balloon in responding to Steve to take a look at the
NNTP-Posting-Host header.

 

[Vanguardx]

Fei is in my team and I am his manager. Microosft employees can
interact with the newsgroups any number of ways. I happen to use the
NNTP server, others prefer to use Google or our other internal web
tools. The fact is, spammers harvest e-mail addresses from
newsgroups and spam blocking software and capabilities, although very
strong and capable in Microsoft products, still do not prevent the
load from actual hitting our servers which must be rejected.

If anyone has any question regarding the validity of his post, please
feel free to contact me. I am sure my history on these newsgroups
will vouch for itself.

--


David B. Cross [MS]

All,

Fei is a Program Manager in the PKI team and all the information in
the e-mail is correct.
It is possible that Fei is out of the office and cannot use his
corporate accounts, hence his use of hotmail and another posting
service, but the message content and sender are all genuine.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

I would've thought there were standard procedures for releasing
Internet-based announcements (e-mail or usenet) from Microsoft that
would allow readers to qualify that the message was indeed from
Microsoft. My ISP (Comcast) contracts out some of its customer support
to eCareOnline. eCareOnline would periodically issue announcements
which proffered themselves to be official announcements from Comcast
regarding my service. When I looked at the headers, it was evident that
these officical announcements did not originate from a Comcast domain so
they were considered bogus or phishing e-mails (but all the real URL
links were to Comcast). I complained to my ISP because anything
"official" from them sent via e-mail should originate from their domain;
otherwise, such e-mails were suspect. They changed to allow eCareOnline
to submit "official" messages through Comcast's mail servers so
recipients would see those official messages as originating from
Comcast. With so much spam and scam going on which uses e-mail and
newsgroups, it behooves the company to ensure that anything issued as an
official announcement look like it actually came from them.

With this post, I saw Fei posting through a Google Groups account that
was registered using a Hotmail account but which got posted from a
Comcast account using a munged Microsoft e-mail address. That looked a
bit suspicious as the only thing "Microsoft" in this post styled to be
an official announcement was the munged e-mail address they purported as
theirs in the body of the message. Sometimes users get impersonated in
the newsgroups but you can get a consensus regarding their identity if
you check their other posts. Fei didn't have prior posts to qualify
against (and I discounted the one other post over at alt.fashion.men).
Sorry for all the hoopla but I was picturing some unsuspecting Microsoft
employee getting slammed with e-mails they didn't initiate or had
nothing to do with.

 

[Willk]

"Vanguardx" <see_signature> wrote in message

With this post, I saw Fei posting through a Google Groups account that was
registered using a Hotmail account but which got posted from a Comcast
account using a munged Microsoft e-mail address. That looked a bit
suspicious as the only thing "Microsoft" in this post styled to be an
official announcement was the munged e-mail address they purported as
theirs in the body of the message. Sometimes users get impersonated in
the newsgroups but you can get a consensus regarding their identity if you
check their other posts. Fei didn't have prior posts to qualify against
(and I discounted the one other post over at alt.fashion.men). Sorry for
all the hoopla but I was picturing some unsuspecting Microsoft employee
getting slammed with e-mails they didn't initiate or had nothing to do
with.

--
_________________________________________________________________
******** Post replies to newsgroup - Share with others ********
Email: lh_811newsATyahooDOTcom and append "=NEWS=" to Subject.
_________________________________________________________________

Judging by the suspicious nature of your post, I guess a lot of trolling
goes on in the groups you read Vanguardx

 

[Vanguardx]

Judging by the suspicious nature of your post, I guess a lot of
trolling goes on in the groups you read Vanguardx

Well, this is a *security* newsgroup (and, by its nature, unmoderated).
I also visit the mail, spam, spyware, and [anti-]virus newsgroups. I've
also seen several impersonations.

 

[rusga]

I think they did... where's Fei?

As far as phished emails go, most are very easy to spot for all but the
most
naive users. The idea that someone would try to impersonate a Microsoft
employee at this level is quite frankly ridiculous.

However, a cross-posted message (for example) asking for complaints
toward
Microsoft (to a valid MSFT recipient) may be feasible, and on these
grounds
I agree with your argument. With the Sender ID program in mind, perhaps
Microsoft should reconsider their policy on making public statements via
these channels.

 

[Steve]

Judging by the suspicious nature of your post, I guess a lot of
trolling goes on in the groups you read Vanguardx

Well, this is a *security* newsgroup (and, by its nature, unmoderated).
I also visit the mail, spam, spyware, and [anti-]virus newsgroups. I've
also seen several impersonations.

Thus my post earlier in the thread. I didn't actually think that Mike
Brannigan {MSFT} was a Finnish meteorologist, but someone that doesn't take
the time to check (or doesn't know what to check) wouldn't know that.

Just a reminder for some of the less savvy that everything that is read on
Usenet shouldn't always be taken at face value.

Steve

 

[Willk]

Judging by the suspicious nature of your post, I guess a lot of
trolling goes on in the groups you read Vanguardx

Well, this is a *security* newsgroup (and, by its nature, unmoderated).
I also visit the mail, spam, spyware, and [anti-]virus newsgroups. I've
also seen several impersonations.

Thus my post earlier in the thread. I didn't actually think that Mike
Brannigan {MSFT} was a Finnish meteorologist, but someone that doesn't
take
the time to check (or doesn't know what to check) wouldn't know that.

Just a reminder for some of the less savvy that everything that is read on
Usenet shouldn't always be taken at face value.

And at the same time, one must also consider the boundaries of what might be
regarded as a legitimate post without needing to check the headers.

I for one, can not see the reason for an 'impersonator' to make that post
(allthough I notice it was crossposted). Agreed, you should not take
everything on face value in the newsgroups but the content of the original
post, I feel did not warrant such a reply.

 

[Vanguardx]

I for one, can not see the reason for an 'impersonator' to make that
post (allthough I notice it was crossposted). Agreed, you should not
take everything on face value in the newsgroups but the content of
the original post, I feel did not warrant such a reply.

Why do a-holes post lists of legitimate e-mail addresses in usenet
posts? To get those recipients slammed with spam and infected e-mails.
Same could hold true for an imposter that wanted to deluge someone at
Microsoft while also frustrating Microsoft's users. The Internet is
full of pueriles. Fei didn't have enough prior posts for readers to
qualify that the post was actually his, and with all the different
non-Microsoft domains used to submit the post then it was a bit iffy
that it was a valid post. If you have ever received any phishing
e-mails, you'll realize that a message stylized as an official
announcement doesn't make it so.