Merry Christmas Dochelp Team!
This is about [MS-XCEP] 3.1.4.1.3.22 RequestFilter
clientVersion: The server SHOULD only return CertificateEnrollmentPolicy
objects whose bitwise AND of the <privateKeyFlags> element of the <attributes>
element with 0x0F000000 is smaller than or equal to 0x0Z000000, where Z
denotes the value of the clientVersion.<2>
serverVersion: The server SHOULD only return the CertificateEnrollmentPolicy
objects whose bitwise AND of the <privateKeyFlags> element of the <attributes>
element with 0x000F0000 is smaller than or equal to 0x000Y0000, where Y
denotes the value of the serverVersion.<3>
Normally you should set the value for the clientVersion for what responses
you're able to parse. However the values are not documented.
>From a research on the web [1][2][3], we compiled the following list:
0: Legacy / unspecified: Minimal response. Often treated as 'no version
negotiation'
1: Initial schema: Basic template enumeration. Only template names and OIDs
are returned
2-3: Intermediate schemas: Adds more attributes (e.g., key usage, issuance
requirements). Used in older Windows releases
4: Windows Server 2012: Includes richer template metadata, subject name
requirements, and issuance policies
5: Windows Server 2016: Adds support for newer template flags and enrollment
restrictions
6: Current schema (Windows 10/11, Server 2019/2022/2025): Full detail:
template properties, issuance requirements, key usage, renewal policies, and
advanced flags. This is the most complete and recommended version today
The server should then check what it supports and return the information in
the highest supported version number of both. However it is not documented
how the server chooses the version number nor how the response looks like for
the different version numbers.
Could you please clarify?
Merry Christmas and a happy new year! Looking forward to hear back from you
next year ;-)
Best regards
Andreas
[1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/
windows-server-2008-R2-and-2008/cc725838(v=ws.11)?redirectedfrom=MSDN
[2] https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
certificate-template-concepts
[3]
https://www.gradenegger.eu/en/description-of-the-generations-of-certificate-templates/
--
Andreas Schneider [email protected]
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
