Old Miraheze Wiki Pages:PDI OIDNode 1.3.6.1.4.1.60218.1.1.1.7

From The LI AO Wiki
Revision as of 17:58, 28 September 2024 by Admin (talk | contribs) (4 revisions imported: Import the dump of the "LI AO's Wiki (Miraheze)" wiki.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Description

This OID indicates a policy enforced in X.509 certificate which dictates the certificate is used as credential to authenticate one or more particular users within one or more Microsoft Entra ID tenants, and the unique characteristics of such certificate will be identified by the PKI, the Microsoft Entra ID, to understand users registered which is capable to be authenticated using such the certificate identity, with high confidence, which comes to be ultimately trusted by the PKI. The policy also ensures the certificate authenticates the Microsoft Entra ID user as satisfying the MFA requirements as set out by Microsoft.

Authentic linguistic representation of the object indicated by this OID is available in this article. They are last revised on 15/4/2024 CST.

Authentic English Interpretation of Concept Indicated

The concept indicated by this OID is a certificate usage policy by the PKI system, which falls under the following use cases:--

  1. As authenticate credential of one or more Microsoft Entra ID users, dictated by the registry which binds one or more particular unique characteristics of the certificate with one or more covered particular Entra ID users;
  2. As authenticate credential of covered Microsoft Entra ID users which satisfies MFA requirements as set out by Microsoft, outlined in Microsoft Learn official product documentations, where such MFA requirements are interpreted as requirements for successful MFA authentication of the Microsoft Entra ID system, no matter if a single authentication mechanism is used or not in the authentication process.

Example Use of OID

An example use of this OID can be found on the digital certificate, syscal3-1@s10 and the following Microsoft Entra ID settings. As seen on the settings item, certificates supplied to the Microsoft Entra ID system with the given OID will be forcibly treated as to be used the certificate attribute will only be bound by a particular user with high confidence to the PKI, which, in practise, only attributes which will be uniquely used by the certificate will be able to be bound by the user specified under the user attributes item.

Because the combination of serial number and issuer's DN is sufficient to uniquely identify a particular certificate, such combination is specified and is allowed to be bound by a particular user. Additionally, the Subject Key Identifier will also be used for such purposes by design, as per IETF documentation. As seen on the user properties page, such user is bound with a certificate with the specified serial number and issuer Distinguished Name.

Screenshot showing a PWA window partially, with certificate-based authentication settings tenant-wide.
Screenshot of a PWA window showing up X.509 certificate attributes to bind a particular user with the certificate which can be used to authenticate him/herself. Not all of the window content is captured.

Authentic Chinese Interpretation of Concept Indicated (Simplified, China, zh-hans-CN)

该对象标识符所标示的概念是一个公钥基础设施系统的证书使用策略,该策略确定了以下使用场景:

(一)通过Microsoft Entra ID系统注册表中的信息,决定通过记录一个或多个证书唯一识别特征与一个或多个相对应的Microsoft Entra ID用户的信息,以对用户的身份进行认证的凭证;
(二)根据Microsoft所制定的规则,即如Microsoft Learn产品技术文档中所述,作为满足多因素认证条件的身份认证凭据,而使用其进行身份认证的凭据,尽管此种“多因素认证条件”应被理解为无论单一身份认证手段是否在成功进行Microsoft Entra ID系统身份认证过程被使用过的情况下而成功进行该类身份认证的要求。