ietf-smime
[Top] [All Lists]

RE: Does Slime works fine with Windows 2000 PKI

2000-05-11 10:19:31
Win2k and hence AD has a good level of security granularity on objects and
attributes that are exposed in the directory.  For instance, you could
configure AD to expose only the LDAP attributes that should be publicly
available when a user binds anonymously (eg comes in other the Internet).
Having said that, it would be a brave person who 'trusts' Win2k enough to
co-locate their corporate data with public data.  The proxy is probably a
better idea.

Piers

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Walter 
Williams
Sent: 11 May 2000 15:39
To: Dennis Glatting
Cc: Laurent Deffranne; ietf-smime
Subject: RE: Does Slime works fine with Windows 2000 PKI


Again, all this depends on content made available through the proxy.  You
can, of course require access to any directory to be over authenticated bind
into the directory, but that requires maintaing a user id and pw for anyone
external to your company who wants to use s/mime.  This is one of the
reasons for Directory sync, it allows business partners to share directory
information.  That is why standards compliance is an issue here, and again,
active directory will require a metadirectory connector to many of the
directories already deployed.

Walt

-----Original Message-----
From: Dennis Glatting 
[mailto:dennis(_dot_)glatting(_at_)software-munitions(_dot_)com]
Sent: Thursday, May 11, 2000 10:36 AM
To: Walter Williams
Cc: Laurent Deffranne; ietf-smime
Subject: Re: Does Slime works fine with Windows 2000 PKI


Walter Williams wrote:

Active directory would expose a significant amount of
information you might
not want the external world to know, such as a complete listing
of all your
w2k computers and their roles in your network.  You could use a
LDAP proxy
server to provide what you want to the internet and keep the
data in active
directory.  Innosoft (Now purchased by IPlanet) makes such a
product.  There
are probably others on the market.


Question:
      Would it also disclose the name of all of the
      employees and their roles, something many
      outside recruiters would love to know?


-----Original Message-----
From: Laurent Deffranne 
[mailto:Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be]
Sent: Thursday, May 11, 2000 9:48 AM
To: walter.williams
Cc: ietf-smime
Subject: RE: Does Smime works fine with Windows 2000 PKI


What would happen if you want to open the directory to anonymous
access to the Web ?
In such a way that you could exchange S/MIME certs with
outside people ?






walter(_dot_)williams%genuity(_dot_)com(_at_)Internet
11/05/2000 15:35
To:   Laurent Deffranne/GKBCCB(_at_)GKBCCB
cc:   ietf-smime%imc(_dot_)org(_at_)Internet

Subject:      RE: Does Smime works fine with Windows 2000 PKI

Let me take the points one at a time and inline:

-----Original Message-----
From: Laurent Deffranne 
[mailto:Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be]
Sent: Thursday, May 11, 2000 9:19 AM
To: walter.williams
Cc: ietf-smime
Subject: RE: Does Smime works fine with Windows 2000 PKI


Walt,

Do you mean that there are difficulties to access through LDAP an
Active Directory, as you want to read or use X509 certificates ?


No.  However, are you going to open your active directory to
anonymous LDAP
queries over the Internet?  If not, are you limiting S/MIME to
internal use
only?  If not then you are somewhat back to square one.

By the way,does somebody know issues about Active Directory LDAP,
or issues to read a certificate in an Active Directory ?

This worked just fine for us here, but the problem we had
with AD was that
it does not support inetOrgPerson, and thus can't easily be
synched up with
most external LDAP directories.  You'll find you'll want a
metadirectory
connector to synch it with any external directory.  Again,
this is not an
issue if you're willing to directly expose AD to internet use.

For me it would be a mistake to use now the "brand new" Active
Directory, but if someone could tell me where I can find proofs
of lack of compatibility (from Microsoft, there must be surely
one of two), this would interrest me.

AD seems to work just fine, if you don't mind working with
something with a
proprietary schema.  Any LDAP and S/MIME aware client we pointed at it
understood the contents just fine, so the schema does not
seem to impact
client interoperability.

Laurent





walter(_dot_)williams%genuity(_dot_)com(_at_)Internet
11/05/2000 14:54
To: Laurent Deffranne/GKBCCB(_at_)GKBCCB, 
ietf-smime%imc(_dot_)org(_at_)Internet
cc:

Subject:    RE: Does Smime works fine with Windows 2000 PKI

Laurent;

Yes, certs issued from a W2K CA can be used for S/MIME, and no
less so than
certs issued from Baltimore, Iplanet or any other CA vendor or
product.  The
main issue is not will they work, but will you be able to
validate the
certs.  Unless the person issuing the cert from W2K has
provided you with
their server's cert, or they have certified their CA with the
signature of
the publicly known CAs you will not be able to easily verify
the signature
to its source.  This is not the most technically acurate way of
saying this
but I'm not awake yet.  Baltimore has preregistered there
CA with the
vendors distributing products, as has Verisign, Thaught, and
many others.
Just make certain that you have the certificates for the W2K CA,
and access
to its revocation list so you can validate properly and
you'll be fine.

Walt Williams
TSD-Systems
Senior IT Analyst
Genuity
www.genuity.com

Please note: GTE Internetworking is now Genuity.

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of
Laurent Deffranne
Sent: Thursday, May 11, 2000 5:45 AM
To: ietf-smime
Subject: Does Smime works fine with Windows 2000 PKI


Hi everybody,

Just a question :

Is there any known issues using S/MIME with
Win2000PKI-certificates ?
More generally, are Win2000 certificates usable with (and
understood by ) the others mailers (especially Lotus Notes,
Netscape, Eudora +plug-in?)

Isn't Baltimore Unicert a "better choice" due to its greater
compatibility ?

Any advices are welcome.

Regards,

Laurent Deffranne









--
Dennis Glatting
Copyright (c) 2000 Software Munitions