Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Similar presentations


Presentation on theme: "Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation."— Presentation transcript:

1

2 Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation

3 Agenda Microsoft and X.509 PKI Credential Management Services Drilldown Futures – Advanced Cryptography Support

4 Microsoft And X.509 PKI The road ahead Enabling primary end-to-end PKI application scenarios S/MIME, secure wireless networks, VPN, IPSEC, EFS, Smartcard logon, SSL/TLS, and digital signatures Enhancing credential lifecycle management New certificate enrollment API and UI Enhancing manageability and deployment of Certificate Services Enabling revocation across all applications

5 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem Online Revocation Services Web Proxy

6 Advanced Enrollment Retiring xenroll and scrdenrl controls The last version of Xenroll exposes interfaces ICEnroll4 and IEnroll4 Difficult to use monolithic interfaces High cost of maintenance for Microsoft to support Xenroll Customers and Third Party CAs if and when Xenroll is updated Scrdenrl exposes IScrdenr interface and leverages Xenroll Primarily used on client for ‘Enroll on Behalf of’ functionality

7 Advanced Enrollment COM Classes for PKI Operations Well defined class hierarchy that includes interfaces to create/manage Enrollments against Microsoft CA (Server interfaces and protocols remain the same) Certificate Requests (PKCS#10, PKCS#7, and CMC) Public/Private keys Certificate Extensions/Attributes/Properties Subset of the functionality can be scripted via a web page Integrated UI Developer friendly – easy to understand and code against

8 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

9 Auto Enrollment Re-architected for attack surface reduction and overall Operating System performance enhancement WMI jobs based design Improved usability for offline scenarios Expiry notifications

10 Auto Enrollment Expiry notification

11 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

12 Credential Roaming Pain Points in deploying PKI-based solutions Certificates and private keys are bound to a machine For a given purpose (e.g. S/MIME), users have different sets of certificates and private keys on each machine CA management overhead Current options Smartcards Roaming User Profiles

13 Credential Roaming Solution Credential Roaming Services deliver all credentials to the user’s machine using active directory replication This helps applications like Secure e-mail Client authentication Enhanced usability for Smart Card deployments

14 Credentials Roaming Availability Server-Side Components Windows 2000 Server SP3+ Windows Server 2003 Windows Server 2003 SP1 – recommended Longhorn Server – recommended Client-Side Components Windows Server 2003 SP1 Longhorn Client/Server Windows XP SP3/OOB (future predictions)

15 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

16 Smart Card Subsystem Simplified Software Development Common crypto operations handled in the platform API for card manufacturers Enhanced User Experience Planned Certification and Testing Program for Smartcard middleware on Windows Update PnP support for Smart Cards Enhanced Smart Card Logon Scenarios Root certificates propagation Integrated Smart Card unblock

17 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

18 Certificate Services Enabling delegated enrollment agent functionality Integrating Network Device Enrollment Service (SCEP) into native setup Manageability – Improved administrative user experience with basic functionality enhancements Standards – Updates and enhancements to conform to critical IETF and government protocol standards

19 Credential Management Credential Management Services Client Credential Management Server Role Credential Roaming Auto Enrollment Advanced Enrollment Certificate Services Online Revocation Services Online Revocation Services Web Proxy Web Enrollment Services Network Device Enrollment Services Smart Card Subsystem

20 Online Responder Services OCSP Client (CAPI 2) Web Proxy Online Responder Management RFC 2560 compliant Focus on performance, scalability, and manageability HTTP DCOM DCOM CRL MSFT CA Other

21 Advanced Cryptography Support CNG - The Open Cryptographic Interface for Windows CNG provides the ability for the customer to plug in kernel or user mode implementations for Proprietary cryptographic algorithms Replacements for standard cryptographic algorithms Key Storage Providers (KSP) Enables cryptography configuration at enterprise and machine levels CNG meets Common Criteria and FIPS requirements for Strong isolation and auditing

22 Advanced Cryptography Support Credential Management Support Certificate Server will support CNG for Issuing ECC Certificates (ECDSA, ECDH), support P-256, P-384 and P-521 curves. Hashes: SHA-2 (256, 384, 512) Enrollment API will support CNG for using new provider model for requesting ECC based certificates Smart Card subsystem will support dual cards

23 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation."

Similar presentations


Ads by Google