[OpenID] DC cert template for openid auto-enrollment

[Peter Williams]

I've been playing with auto-enrollment of computer certs in MS Cert server (2008 enterprise), focussing on the template that allows a directory server (a DSA in X.500 speak, or DC in MSFT speak) to obtain certs as a new directory db's replicator node is added to the distributed directory.

The config practices associated with DC auto-enrollment templates allow one to put various alternative subject names into the cert : UPNs (home_pw at myopenid.com<mailto:home_pw at myopenid.com>), SPN (server at farm.com<mailto:server at farm.com>) and GUID/DNS name forms. This is exactly as the X.500 committee intended. But, there is no obvious means to add a URI - i.e. the DC's openid (where UCI was one of the other name forms the standard allowed for).

It would be nice if, in an enterprise cross-forest B2B setting, domain users could be autoenrolled with SSL server certs (bearing the UCI alt subj name with their openids) , under the control of the DC with the infrastructure token - that is also openid aware. This would belp with secure hosting of XRDSs, perhaps within a custom application partition of the directory I(doing for openid XRDs, what AD does for hosting zones for DNS). The XRDs can then be replicated through out the custom partitions' replication topology - and be subject to all the domain and forest trust rules. The full trust fabric of the directory would then naturally locate and control which RPs would see which discovery points (those hosted by OPs, those of vanity users...)

anyone else going in this sort of direction?