hello,I am wondering what is the option called "Include symmetric algorithm" (allowed by subject) extension exactly doing? I don't see any symmetric algorithms in the issued certificate.thank you.ondrej.

Hi, When the subject requests a certificate, a list of supported symmetric algorithms can be supplied by the subject. The Include symmetric algorithms allowed by the subject option allows the issuing CA to include those algorithms in the certificate, even if they are not recognized or supported by that server. Thanks. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

thank you. how do I specify the symetric algorithms in the request?ondrej.

One example off the top of my head is to use the S/MIME plugin policy module in FIM 2010 CM (or CLM)You can designate what Symmetric algorithms are supported for SMIME encryption in the certificate by designating the OIDs of the various allowed symmetric algorithms.SMIMECapabilities would be the extension in this caseBrian

thank you very much, this makes things somewhat clearer.Butwhat background is under the inclusion of the algorithm in the certificate? I could imagine that especially the case of S/MIME whitch needs to encrypt the email without prior discussion/agreement with the assumed recepient defined by the certificate could justify this need. Is that right?If another protocol on the other hand assumed online connection between parties, there wouldn't be any reason to include the algorithms, because they could be agreed upon at the time of connectionestablishment,would it?ondrej.

Agreed. S/MIME is the main reason (hence why the extension is called S/MIMECapabilities <G>)Brian