Sign in
Microsoft.com
 
Windows Server TechCenter
 
 
 
Windows Server TechCenter > Windows Server Forums > Security > What exactly is the ""Include symmetric algorithm" option?
Ask a questionAsk a question
Search Forums:
 

AnswerWhat exactly is the ""Include symmetric algorithm" option?

  • Monday, November 02, 2009 9:18 PMOndrej SevecekMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    hello,

    I am wondering what is the option called "Include symmetric algorithm" (allowed by subject) extension exactly doing? I don't see any symmetric algorithms in the issued certificate.

    thank you.

    ondrej.
     

Answers

All Replies

  • Tuesday, November 03, 2009 8:28 AMJoson ZhouMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

     

    When the subject requests a certificate, a list of supported symmetric algorithms can be supplied by the subject. The “Include symmetric algorithms allowed by the subject” option allows the issuing CA to include those algorithms in the certificate, even if they are not recognized or supported by that server.

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Tuesday, November 03, 2009 1:39 PMOndrej SevecekMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    thank you. how do I specify the symetric algorithms in the request?

    ondrej.

     
  • Tuesday, November 03, 2009 8:35 PMBrian Komar [MVP]MVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    One example off the top of my head is to use the S/MIME plugin policy module in FIM 2010 CM (or CLM)
    You can designate what Symmetric algorithms are supported for SMIME encryption in the certificate by designating the OIDs of the various allowed symmetric algorithms.
    SMIMECapabilities would be the extension in this case
    Brian
     
  • Tuesday, November 03, 2009 10:24 PMOndrej SevecekMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    thank you very much, this makes things somewhat clearer.

    But what background is under the inclusion of the algorithm in the certificate? I could imagine that especially the case of S/MIME whitch needs to encrypt the email without prior discussion/agreement with the assumed recepient defined by the certificate could justify this need. Is that right?

    If another protocol on the other hand assumed online connection between parties, there wouldn't be any reason to include the algorithms, because they could be agreed upon at the time of connection establishment, would it?

    ondrej.
     
  • Wednesday, November 04, 2009 9:46 PMBrian Komar [MVP]MVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Agreed. S/MIME is the main reason (hence why the extension is called S/MIMECapabilities <G>)
    Brian