3.1.1.1 User-Certificate Binding

  • Article

Applications requesting a user-certificate binding (section 3.1.4.1) must supply a security context for the user. The security context is used in two ways: to maintain per-user state based on the unique principal security identifier (SID), and to authenticate the user during certificate enrollment.

The server maintains a persistent per-user collection of zero or more certificates, and corresponding private keys. The format of the certificates within this collection MUST conform to that specified in [RFC5280]. In addition, this collection MUST contain only certificates and private keys that are valid for use by the EFS subsystem on the client. This collection is referred to as EFS User Certificates, and is used by higher-layer protocols to perform encryption and decryption of EFS objects.

The EFS User Certificates collection on the client contains at most one certificate that is marked as the EFS Current Key for the user. The EFS User Certificates collection and the EFS Current Key can be populated by various implementation-specific methods.

The server defines a number of parameters for the certificate enrollment request. These parameters are persistent across reboot, with no intermediate or volatile form. The parameters can be updated by external entities (that is, other products). The parameters are as follows:

RequireV3Template (Public): A Boolean indicating whether to restrict the list of allowed certificate templates to version 3 and higher. The server MUST initialize this to the default value of False.

DisallowV3Template (Public): A Boolean indicating whether to restrict the list of allowed certificate templates to version 2 and lower. The server MUST initialize this to the default value of False.

RequireSmartCard (Public): A Boolean indicating whether to require that the resultant private key from the enrollment operation be stored on a smart card device. The server MUST initialize this to the default value of False.

TemplateName (Public): A variable length, null-terminated Unicode string indicating the name of the certificate template to use in the enrollment operation. The server MUST initialize this to the default value of "EFS".

Note The abstract interface notation "(Public)" indicates that the Abstract Data Model element can be directly accessed from outside of this protocol.