The Windows .NET Server public key infrastructure (PKI) supports the definition and enforcement of name constraints, application policy, and issuance policies rules, in accordance with Internet Engineering Task Force (IETF) Request for Comments (RFC) 2459 (available at http://www.ietf.org). RFC 2459 defines specific certificate extensions that hold PKI policy rule—specific information. To enforce these rules at certificate validation, the client-side software must include extra code. At the time of this writing, only Windows XP clients include this code, although Microsoft might ship special tools or software extensions for earlier Windows clients.

You can apply name constraints rules only to Certificate Authority (CA) certificates. These rules define a namespace; all the subject names of certificates that the CA or its subordinate CAs issue must reside in that namespace. You can base the namespace specification on DNS names, X.500 distinguished names (DNs), email addresses, or IP addresses. A subordinate CA can only reduce—never extend—the name constraints rule received from its parent CA.

Application policy rules define which applications can use a particular certificate. An Object Identifier (OID) identifies an application policy rule. The Application policy certificate extension replaces Windows 2000 certificates' Enhanced Key Usage (EKU) extension.

Issuance policies rules define the conditions under which a CA can issue a certificate. In .NET Server, these rules reside in the Certificate policies certificate extension. Like the application policy rule, an OID identifies the issuance policies rules. An issuance policy rule might contain restrictions relating to the way the CA identifies the user at certificate-request time or the way the private key is stored (e.g., on a smart card). Table A summarizes the three predefined issuance policies levels: low, medium, and high. The low level is appropriate for a typical intranet issuance policies rule. The other two levels might be useful for extranet, Internet, or advanced intranet issuance policies.

Like earlier Windows PKI versions, the .NET Server PKI also supports basic constraint policy rules. These rules define whether the subject of a certificate is a CA, and they can limit the certificate-chain path-length that the PKI software uses during certificate-chain validation.