Hi Hopefully a quick question on the use of OID's in CA hierachy (2008 R2)... It is my understanding that with R2 if I specify a OID for CPS, say 1.3.6.1.4.1.xxxxx.509.1 in the PolicyStatementExtension of a CA, then a sub CA can only have either 1.3.6.1.4.1.xxxxx.509.1 or 1.3.6.1.4.1.xxxxx.509.1.a.b defined in it's PolicyStatementExtension (ie the parent OID or sub OID's of it). For example 1.3.6.1.4.1.xxxxx.509.2 would not work. I think I've seen a thread where it is explained that this is new to R2. First question - is this understanding correct? Second question assuming it is correct - does the OID specified impose a similar restriction on specific issuance policies defined in Certificate Templates? The answers will help with design of my OID arc. Some of the common practices I've seen for OID arc's for use with CPS's & CP's may need to be reworked depending on the answers. ThanksDouks

1) yes. 2) yes.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks VadimsDouks

Please see this thread for more detailed information: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/90c9e4c6-de99-404c-ba5a-3fcd31657999Douks