PKI CRL LDAP location exposes infos about internal DS structure to external cust

Giganews Newsgroups
Subject: PKI CRL LDAP location exposes infos about internal DS structure to external cust
Posted by:  Reinhard Henke (r.henk…@-sofortsurf.de)
Date: Sat, 08 Mar 2008

I want to set up a 2 tier PKI based on W2K3. The issuing CA is AD
integrated. Certificates are also to be provided to external customers
for secure web transactions.

Unfortunately, the LDAP URL in the CRL extensions exposes details about
the internal AD structure and NB-name of the CA. I read about LDAP
translation but couldn't find any info on how to implement that.

How can I obscure these details on the internal AD structure?
How critical would you value keeping these details in the CRLs?
Microsoft themselves advise in their design documents to obscure it but
unfortunately don't tell how...

You help is really appreciated.

Reinhard

Replies