Application policy constraints. An application policy constraint limits the applications for which a certificate can be used. You can set an application policy in both CA (hierarchical and cross-certified) and end-entity certificates. Like issuance policies, application policies are identified by using the OID of the corresponding policy. These policies are kept in a certificate's Application policies extension. Web Table 1 (http://www.winnetmag.com/windowssecurity, InstantDoc ID 42444) lists the Windows 2003 PKI predefined application policies and their corresponding OIDs.
In Version 2 certificates, which Windows 2003 introduced, application policies have the same function as the Win2K extended key usage (EKU) certificate extension. Version 2 certificates are generated by an enterprise CA based on a Version 2 certificate template. For downlevel compatibility, Windows 2003 CAs and Windows 2003 and XP clients can still work with the EKU extension.
As I mentioned, you can set application policies in both end-entity certificates and CA certificates. If you set an application policy in an end-entity certificate, you limit the applications for which the certificate can be used. If you set the policy in a CA certificate, the policy will be copied in all certificates (end-entity and CA) the CA issues and will thus limit the applications for which those certificates can be used. Setting the policy in a CA certificate will also limit the certificate types a CA can issue. For an enterprise CA, the application policy settings even overrule the certificate templates that are loaded in its Certificate Templates container. For example, if you want a subordinate CA to issue user certificates, you need to make sure that you add the application policy OIDs for the Encrypting File System (EFS), Secure Email, and Client Authentication. The User certificate template covers all three application policies.
Application policies that are set in cross-certification certificates limit the applications for which a certificate with the cross-certificate in its certificate chain can be used. In this case, enforcement of the application policy is the certificate chain validation software's responsibility. Again, the code needed to validate the application policy is available only in Windows 2003 and XP.
Figure 7 shows the effect of setting application policies in CA certificates. The figure shows that an application policy has been set in the certificates of subordinate CA 1 and CA 2. Subordinate CA 1 will accept both email and Secure Sockets Layer (SSL) certificate requests. Subordinate CA 2 can issue only email certificates and will reject SSL certificate requests.
Defining Trust Constraints
Windows 2003 PKI offers three tools to define PKI trust constraints: the capolicy.inf configuration file, the policy.inf configuration file, and the Microsoft Management Console (MMC) Certificate Templates snap-in.
During CA installation, you can use the capolicy.inf configuration file to set a CA certificate's PKI trust constraints. You can also use the configuration file to define other CA configuration settings, such as certificate revocation list (CRL) Distribution Points and Authority Information Access (AIA) locations. The content of the capolicy.inf file is checked for trust constraints at CA installation and every time the CA certificate is renewed. You need to store the file in the %systemroot% folder of the machine on which the CA is installed, and you can't change the file's name. You can use the capolicy.inf file to define only basic and issuance policy constraints.
The policy.inf configuration file defines the PKI trust constraints that are embedded in a CA certificate request file, and the Certreq utility uses this file as a parameter. Policy.inf is the most complete trust constraint configuration tool; contrary to the capolicy.inf file, you can use it to configure all the different categories of PKI trust constraints. As opposed to the capolicy.inf file, you can change the name of the policy.inf file.
You can use the Certificate Templates snap-in to create, modify, or delete certificate templates. Certificate templates define the properties (including the PKI trust constraints) of certificates issued by Windows CAs. You can modify the content of Version 2 certificate templates; you can't modify Version 1 certificate templates. Certificate templates don't offer the same level of granularity for PKI trust-constraint definition as is possible with a policy.inf configuration file: You can use templates to set only basic, application policy, and issuance policy constraints.
Flexible PKI Trust Definition
Trust is a fundamental PKI concept. Windows 2003 PKI's enhanced trust features make Windows PKI more powerful and flexible but also add more complexity to PKI trust design and administration. Still, no other security protocol or technology available today can define trust in such a granular way. In a future article, I'll look at how trust decisions are made and governed on the Windows PKI user side.