OID Question
Does anyone know if it is possible to have the same OID configured on two different PKI environments within one organization? I have an existing PKI environment with a CA Policy server configured with an OID issued from IANA. I am creating a new PKI environment that will run in parallel to the old environment, and was wanting to know if I should use the same issued OID, or apply for a new one.Thanks, Patrick
April 16th, 2010 11:31pm
IANA (and other orgainzations that assign OIDs) does assign you a single number, but rather they've assigned you what is known as an arc. For example, Microsoft's OID arc assigned by IANA is 1.3.1.4.1.311. That, as I stated is not intented to be a single
number but rather is intended to be a prefix that uniquely identifies Microsoft's OID arc. You, and Microsoft, and any other organization that is assigned an OID are free to add as many additional numbers to that arc as you like, as long you preface each OID
with the number that you've been assigned.
Taking Microsoft again as an example, every Active Directory forest that gets created has its own unique OID arc created, but they are all prefaced by Microsoft's unique number. To see how this works, take a looks at the Extensions tab in the properties
of any custom V2 template you may have created and then select Certificate Template Information. You'll see a very long OID that begins with 1.3.6.1.4.1.311.
So, to answer your question, no, you don't need to request another OID (IANA would not issue you another one for the same organization in any event), however, you should make use of your existing arc and potentially may need to extend it so you don't have
conflicts.
Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2010 2:38pm