How does XCEP policy (XML) define SubjectType for User or Computer constraint?

Carsten Kraft

2/20/23, 11:24 AM

We've developed our own implementation of a XCEP/CES WCF service that uses a combination of our certificate management solution and the Microsoft CA to issue the certificates. The standard XCEP XML definition is used (same as the standard Microsoft XCEP/CES WCF service). We use the same WSDL for the WCF service. This works fine for CEP and CES.

Now, we extended the software to use a different Certificate Authority (not Microsoft). The new CA is GlobalSign which has its own certificate template definition and settings (different than the MS CA certificate template settings). The CEP policy service works fine and creates the policy definition in compliance with the CEP XML policy structure, but we have one issue left.

How does XCEP policy define the SubjectType, meaning whether the policy (certificate template) is targeted for users or computers? At the moment, the clients interpret them as user templates and we do not see a property (or basic constraint extension) where we could define a target type "Computer".

Only option we see is an extension called "Certificate Template" extension:

enter image description here

0 + 0

windows

certificate

wcf

certificate-authority

Score:0

Server

Crypt32

2/20/23, 12:08 PM

It is determined by generalFlags datum in Attributes element ([MS-XCEP] §3.1.4.1.3.1). This datum is an a bitwise enumeration of PKI-Certificate-Template.flags DS attribute values ([MS-CRTD] §2.4).

If datum value has bit CT_FLAG_MACHINE_TYPE set, then subject type is computer.
If datum value has bit CT_FLAG_IS_CA, then subject type is CA.
If both bits are not set, then subject type is user.

0 + 0

Carsten Kraft

2/20/23, 1:16 PM

Thank you very much! This flag is exactly what we're looking for.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How does XCEP policy (XML) define SubjectType for User or Computer constraint?

TH: นโยบาย XCEP (XML) กำหนด SubjectType สำหรับผู้ใช้หรือข้อ จำกัด ของคอมพิวเตอร์อย่างไร

RO: Cum definește politica XCEP (XML) SubjectType pentru constrângerile utilizator sau computer?

RU: Как политика XCEP (XML) определяет ограничение SubjectType для пользователя или компьютера?

VI: Chính sách XCEP (XML) xác định Loại chủ đề cho ràng buộc Người dùng hoặc Máy tính như thế nào?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.