|
RE: Does Slime works fine with Windows 2000 PKI
2000-06-15 02:23:41
I'm jumping in too! I'd like to add that we have deployed the MaxWare LDAP
proxy server for just this role in a large corporate in the UK. They have a
PKI and wish to communicate externally using certificates from it, so we use
the MaxWare software to control access to the directory information,
specifically only allowing searches on mail addresses and the retrieval of
certificates. This means that all other information in the corporate
directory is still secure.
Alan Shepherd.
-----Original Message-----
From: Frank W. Nolden [mailto:frank(_dot_)nolden(_at_)maxware(_dot_)nl]
Sent: 11 May 2000 16:17
To: Walter Williams; Laurent Deffranne
Cc: ietf-smime
Subject: Re: Does Slime works fine with Windows 2000 PKI
Sorry for jumping into this discussion, which I find very
interesting. There
is a way of publishing certificates to the outside world
without opening up
the AD. I think Walter mentioned in already and that is
replicating only the
certificate information (with some minor additional information like
emailaddress, distinguished name, surname, tc) to an (LDAP)
directory that
is connected to the internet. Replicating this information
cannot be done
using the standard X.500 DISP protocol since Microsoft does
not support
that, but you can use LDIF files and other more sophisticated
tools like our
MaXware Directory Sync Engine. You could put LDAP proxy
servers (MaXware
also has these available as Innosoft does) in front of that
for security
purposes and attribute mapping.
A major advantage is that you do not permit anyone in real
time either via a
proxy or not to access information in the AD. An extra (LDAP)
directory is
an extra security barrier to your AD and it will only publish the
information you want to be available on the web, without
risking access to
your AD and without configuring the Access Control in AD.
Regards,
Frank Nolden
----- Original Message -----
From: "Walter Williams" <walter(_dot_)williams(_at_)genuity(_dot_)com>
To: "Laurent Deffranne" <Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be>
Cc: "ietf-smime" <ietf-smime(_at_)imc(_dot_)org>
Sent: Thursday, May 11, 2000 15:57
Subject: RE: Does Slime works fine with Windows 2000 PKI
Active directory would expose a significant amount of
information you
might
not want the external world to know, such as a complete
listing of all
your
w2k computers and their roles in your network. You could
use a LDAP proxy
server to provide what you want to the internet and keep the data in
active
directory. Innosoft (Now purchased by IPlanet) makes such
a product.
There
are probably others on the market.
-----Original Message-----
From: Laurent Deffranne
[mailto:Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be]
Sent: Thursday, May 11, 2000 9:48 AM
To: walter.williams
Cc: ietf-smime
Subject: RE: Does Smime works fine with Windows 2000 PKI
What would happen if you want to open the directory to anonymous
access to the Web ?
In such a way that you could exchange S/MIME certs with
outside people ?
walter(_dot_)williams%genuity(_dot_)com(_at_)Internet
11/05/2000 15:35
To: Laurent Deffranne/GKBCCB(_at_)GKBCCB
cc: ietf-smime%imc(_dot_)org(_at_)Internet
Subject: RE: Does Smime works fine with Windows 2000 PKI
Let me take the points one at a time and inline:
-----Original Message-----
From: Laurent Deffranne
[mailto:Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be]
Sent: Thursday, May 11, 2000 9:19 AM
To: walter.williams
Cc: ietf-smime
Subject: RE: Does Smime works fine with Windows 2000 PKI
Walt,
Do you mean that there are difficulties to access
through LDAP an
Active Directory, as you want to read or use X509 certificates ?
No. However, are you going to open your active directory to
anonymous LDAP
queries over the Internet? If not, are you limiting S/MIME to
internal use
only? If not then you are somewhat back to square one.
By the way,does somebody know issues about Active
Directory LDAP,
or issues to read a certificate in an Active Directory ?
This worked just fine for us here, but the problem we had
with AD was
that
it does not support inetOrgPerson, and thus can't easily be
synched up with
most external LDAP directories. You'll find you'll want
a metadirectory
connector to synch it with any external directory.
Again, this is not
an
issue if you're willing to directly expose AD to internet use.
For me it would be a mistake to use now the "brand new" Active
Directory, but if someone could tell me where I can find proofs
of lack of compatibility (from Microsoft, there must be surely
one of two), this would interrest me.
AD seems to work just fine, if you don't mind working with
something with a
proprietary schema. Any LDAP and S/MIME aware client we
pointed at it
understood the contents just fine, so the schema does not
seem to impact
client interoperability.
Laurent
walter(_dot_)williams%genuity(_dot_)com(_at_)Internet
11/05/2000 14:54
To: Laurent Deffranne/GKBCCB(_at_)GKBCCB,
ietf-smime%imc(_dot_)org(_at_)Internet
cc:
Subject: RE: Does Smime works fine with Windows 2000 PKI
Laurent;
Yes, certs issued from a W2K CA can be used for S/MIME, and no
less so than
certs issued from Baltimore, Iplanet or any other CA vendor or
product. The
main issue is not will they work, but will you be able
to validate the
certs. Unless the person issuing the cert from W2K has
provided you with
their server's cert, or they have certified their CA with the
signature of
the publicly known CAs you will not be able to easily verify
the signature
to its source. This is not the most technically acurate way of
saying this
but I'm not awake yet. Baltimore has preregistered
there CA with the
vendors distributing products, as has Verisign, Thaught, and
many others.
Just make certain that you have the certificates for the W2K CA,
and access
to its revocation list so you can validate properly and
you'll be
fine.
Walt Williams
TSD-Systems
Senior IT Analyst
Genuity
www.genuity.com
Please note: GTE Internetworking is now Genuity.
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of
Laurent Deffranne
Sent: Thursday, May 11, 2000 5:45 AM
To: ietf-smime
Subject: Does Smime works fine with Windows 2000 PKI
Hi everybody,
Just a question :
Is there any known issues using S/MIME with
Win2000PKI-certificates
?
More generally, are Win2000 certificates usable with (and
understood by ) the others mailers (especially Lotus Notes,
Netscape, Eudora +plug-in?)
Isn't Baltimore Unicert a "better choice" due to its greater
compatibility ?
Any advices are welcome.
Regards,
Laurent Deffranne
------------------------------------------------------------------------------------------
This message is for the named person?s use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege
is waived or lost by any mistransmission. If you receive this message in
error, please immediately delete it and all copies of it from your system,
destroy any hard copies of it and notify the sender. You must not, directly or
indirectly, use, disclose, distribute, print, or copy any part of this message
if you are not the intended recipient. PROTEK Network Management Group and each
of its subsidiaries reserve the right to monitor all e-mail communications
through its networks. Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the sender is
authorised to state them to be the views of any such entity.
| <Prev in Thread] |
Current Thread |
[Next in Thread> |
- RE: Does Slime works fine with Windows 2000 PKI,
Alan Shepherd <=
|
|
|