I'm havin difficulty understanding OID's. Can anyone suggest a good article that explains what they are, how to use them, etc. Thank you, PaulT

Try these: http://middleware.internet2.edu/a-brief-guide-to-OIDs.doc http://www.zytrax.com/books/ldap/apa/oid.html Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX Blogs - http://blogs.sivarajan.com/ Articles - http://www.sivarajan.com/publications.html Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara This posting is provided AS IS with no warranties,and confers no rights.

Santhosh, thanks for the url's. Unfortunatly, it still isn't adding up for me. Maybe an example question will help me get it straight. As it relates to Certificate Services; if my organization had an OID assigned by the IANA do I simple replace my assigned number in the OID definitions and leave all the remaining numbers the same or can the remaining numbers be arbitrary. For example; the EFS OID - would it become?: 1.3.6.1.4.1.<myOID>.10.3.4 or can I make it whatever I want after <myOID> 1.3.6.1.4.1.<myOID>.1.2.3 Why do some "application" OID's have an organization number in them and some don't? 1.3.6.1.4.1.311.10.3.4 (Microsoft OID) - EFS 1.3.6.1.5.5.7.3.4 (Secure Email) Sorry, this just seems like a difficult concept for me to grasp.

1) You typically use custom OIDs for certificate policies (AKA issuance policies) where you are defining the assurance levels of the certificates your organization issues. 2) You *can* use custom OIDs for application policies, but these are used to distinguish between two certificates that are the same usage. For example, you can have two client authentication certificates. You can use NPS/IAS to require a custom OID in the certificate used to authenticate to the wireless network. So you would create a certificate with two separate OIDs (the default client authentication OID and a custom Wireless user OID). This would prevent someone from using a different client authentication certificate to connect to the wireless network 3) YOu would never create a custom OID for a common OID (SMIME, CLIENT Authentication, EFS) 4) Some of the OIDs are part of the Microsoft Arc (1.3.6.1.4.1.311) because they are related to Microsoft apps. EFS is a great example that you quoted (as is Bitlocker Data Encryption) You can review the common OIDs by using the certificate templates console. You can right-click the console root and click View Object Identifiers. This will give you a list of all of the OIDs that exist in the directory. You will see the common application policy OIDs. You will also see some pre-generated custom and default issuance policy OIDs. The low, medium and high are generated based on the OID assigned to the forest that you built. There are default ones too (EU Qualified Certificate and Secure Signature Creation Device Qualified Certificate) HTH, Brian

There are two types of OIDs well-known OIDs. They are used in the Internet PKI and they are defined by IANA. custom OIDs. They are used to extend existing infrastructure with custom policies. For example, your certificate is used for secure email. There is well-known OID for this: 1.3.6.1.5.5.7.3.4. This OID is defined and registered by IANA. And if your certificate is used for secure email purposes you should use this OID, because this OID is "international" and is recognized by non-Windows systems (linux, MacOS). Another example: Microsoft has several custom workflows and procedures that are not used in the Internet PKI. This can be key archival and recovery agents. There are no well-known OID for this. As the result Microsoft has created custom OID for Key Recovery Agent application policy: 1.3.6.1.4.1.311.21.6 with Microsoft's arc (311). This OID is recognized only by Windows systems and may not recognized by other operating systems (linuz, MacOS). Other operating systems, though, may have similar procedure (key archival) and they must define their own custom OID for key recovery agent. The same with EFS. EFS is a Microsoft's proprietary technology and not used by Internet PKI. Microsoft has defined custom OID for EFS = 1.3.6.1.4.1.311.10.3.4 within Microsoft's arc and this OID may not be recognized by linuz and/or MacOS. If your certificates are used only in the Windows systems, you can use both Internet PKI and Windows PKI OIDs, because they are natively supported by all Windows systems and you don't need to define your own OID's. If you need custom OID (for example, for banking transaction signing) you will have to define your own OID within your company's arc. Also your applications should be written to recognize this OID. Your own OID's will be recognized only within your company's environment and custom applications. HTHMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Brian & Vadims, thank you both for your contributions to this forum. Greatly appreciated!!