PKI CRL LDAP location exposes infos about internal DS structure toexternal customers

[Reinhard Henke]

I want to set up a 2 tier PKI based on W2K3. The issuing CA is AD
integrated. Certificates are also to be provided to external customers
for secure web transactions.

Unfortunately, the LDAP URL in the CRL extensions exposes details about
the internal AD structure and NB-name of the CA. I read about LDAP
translation but couldn't find any info on how to implement that.

How can I obscure these details on the internal AD structure?
How critical would you value keeping these details in the CRLs?
Microsoft themselves advise in their design documents to obscure it but
unfortunately don't tell how...

You help is really appreciated.

Reinhard

 

[Brian Komar \(MVP\)]

Re: PKI CRL LDAP location exposes infos about internal DS structure to external customers

It this is a concern, then do not put LDAP URLs in the CDP or AIA extensions
You cannot obscure them in any other way.
The other alternative is to use a different LDAP directory such as ADAM.
Brian

"Reinhard Henke" <r.henke-@-sofortsurf.de> wrote in message
news:fqu2l1$ijp$2@online.de...
>I want to set up a 2 tier PKI based on W2K3. The issuing CA is AD
>integrated. Certificates are also to be provided to external customers for
>secure web transactions.
>
> Unfortunately, the LDAP URL in the CRL extensions exposes details about
> the internal AD structure and NB-name of the CA. I read about LDAP
> translation but couldn't find any info on how to implement that.
>
> How can I obscure these details on the internal AD structure?
> How critical would you value keeping these details in the CRLs? Microsoft
> themselves advise in their design documents to obscure it but
> unfortunately don't tell how...
>
> You help is really appreciated.
>
> Reinhard

 

[S. Pidgorny]

Re: PKI CRL LDAP location exposes infos about internal DS structure to external customers

So in the end anybody will know computer name of your CA and your internal
domain name. That is not really a risk.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Reinhard Henke" <r.henke-@-sofortsurf.de> wrote in message
news:fqu2l1$ijp$2@online.de...
>I want to set up a 2 tier PKI based on W2K3. The issuing CA is AD
>integrated. Certificates are also to be provided to external customers for
>secure web transactions.
>
> Unfortunately, the LDAP URL in the CRL extensions exposes details about
> the internal AD structure and NB-name of the CA. I read about LDAP
> translation but couldn't find any info on how to implement that.
>
> How can I obscure these details on the internal AD structure?
> How critical would you value keeping these details in the CRLs? Microsoft
> themselves advise in their design documents to obscure it but
> unfortunately don't tell how...
>
> You help is really appreciated.
>
> Reinhard