3.3.4.1.1.2 GetPoliciesResponse

  • Article

The GetPoliciesResponse message contains the response for the GetPolicies operation.

The SOAP action value is

 http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse

The GetPoliciesResponse message is sent from the server to the client and contains the requested certificate enrollment policies.

   <wsdl:message name="IPolicy_GetPolicies_OutputMessage">
     <wsdl:part name="response" element="xcep:GetPoliciesResponse"/>
   </wsdl:message>

xcep:GetPoliciesResponse: An instance of a <GetPoliciesResponse> element as specified in [MS-XCEP] section 3.1.4.1.2.2.

The enrollment client evaluates the following child elements of the <GetPoliciesResponse> element to determine whether to include the child element in the SOAP body of the response message. When a child element is included, the element and value are specified using syntax similar to XML Path Language (XPath).

xcep:GetPoliciesResponse/response/policyFriendlyName (see [MS-XCEP] section 3.1.4.1.3.23).

xcep:GetPoliciesResponse/response/nextUpdateHours (see [MS-XCEP] section 3.1.4.1.3.23).

xcep:GetPoliciesResponse/response/policiesNotChanged (see [MS-XCEP] section 3.1.4.1.3.23).

xcep:GetPoliciesResponse/response/policyID (see [MS-XCEP] section 3.1.4.1.3.23).

xcep:GetPoliciesResponse/response/policies/policy/policyOIDReference: (see [MS-XCEP] section 3.1.4.1.3.7)

xcep:GetPoliciesResponse/response/policies/policy/cAs (see [MS-XCEP] section 3.1.4.1.3.7).

xcep:GetPoliciesResponse/response/policies/policy/attributes/commonName (see [MS-XCEP] section 3.1.4.1.3.1)

xcep:GetPoliciesResponse/response/policies/policy/attributes/policySchema: The value MUST be 3 (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/certificateValidity (see [MS-XCEP] section 3.1.4.1.3.8).

xcep:GetPoliciesResponse/response/policies/policy/attributes/permission/enroll (see [MS-XCEP] section 3.1.4.1.3.11).

xcep:GetPoliciesResponse/response/policies/policy/attributes/permission/autoEnroll (see [MS-XCEP] section 3.1.4.1.3.11).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/minimalkeylength (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/algorithmOIDReference (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/keySpec (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/keyUsageProperty (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/permissions (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/AttestationFailureBehavior: This is an optional node if the EnrollmentVersion value is 5.0 or higher.<22> If used, this node MUST have a value FailOnError, IgnoreOnError, or RetryOnError. If FailOnError is used, Certificate Attestation will be attempted once, and if it fails, Enrollment will fail.  If IgnoreOnError is used, Certificate Attestation will be attempted once, and if it fails, Enrollment will continue. If RetryOnError is chosen, Certificate Attestation will be attempted as many times as allowed by the timeout specified by the xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/OperationTimeout tag. If Certificate Attestation still fails, Enrollment will continue. If no value is specified and Certificate Attestation is still used, the default OS behavior will be RetryOnError.

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/OperationTimeout: This is an optional node if the EnrollmentVersion value is 5.0 or higher.<23> If used, this lists the time, in seconds, that the OS will continue attempting to perform Certificate Attestation in case of errors. If no value is specified here and Certificate Attestation is still used, the default OS behavior will be 100 seconds.

xcep:GetPoliciesResponse/response/policies/policy/attributes/revision/majorRevision (see [MS-XCEP] section 3.1.4.1.3.24).

xcep:GetPoliciesResponse/response/policies/policy/attributes/revision/minorRevision (see [MS-XCEP] section 3.1.4.1.3.24).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/cryptoProviders (see [MS-XCEP] section 3.1.4.1.3.20).

xcep:GetPoliciesResponse/response/policies/policy/attributes/hashAlgorithmOIDReference:  The referenced object identifier (OID) MUST be in the <GetPoliciesResponse> element (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/supersededPolicies (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/privateKeyFlags (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/subjectNameFlags (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/enrollmentFlags (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/generalFlags (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/rARequirements (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/keyArchivalAttributes (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/extensions (see [MS-XCEP] section 3.1.4.1.3.1).

xcep:GetPoliciesResponse/response/policies/policy/attributes/attestation/attestationFailureBehavior: This functions identically to the xcepGetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/AttestationFailureBehavior node, except this one takes precedence if both are set.  This node is available on EnrollmentVersion value 6.0 or higher.

xcep:GetPoliciesResponse/response/policies/policy/attributes/attestation/operationTimeout: This functions identically to the xcepGetPoliciesResponse/response/policies/policy/attributes/privatekeyattributes/operationTimeout node, except this one takes precedence if both are set. This node is available on EnrollmentVersion value 6.0 or higher.

xcep:GetPoliciesResponse/response/policies/policy/attributes/attestation/azureAttestation/nonce: This optional node should contain the nonce used for the AzureAttestation flow. This node is available on EnrollmentVersion value 6.0 or higher.

xcep:GetPoliciesResponse/response/policies/policy/attributes/attestation/azureAttestation/relyingPartyId: This optional node should contain the Relying Party ID used for the AzureAttestation flow to uniquely identify the relying party. This node is available on EnrollmentVersion value 6.0 or higher.

xcep:GetPoliciesResponse/response/policies/policy/attributes/attestation/azureAttestation/endpointUri: This optional node should contain the URI used for Azure Attestation.  The client code will call this Azure Attestation endpoint to perform the AzureAttestation flow. This node is available on EnrollmentVersion value 6.0 or higher.

xcep:GetPoliciesResponse/cAs (see [MS-XCEP] section 3.1.4.1.2.2).

xcep:GetPoliciesResponse/oIDs/oID: The OID referred to by the value of the hashAlgorithmOIDReference element specified in the previous point (see [MS-XCEP] section 3.1.4.1.2.2). The value MUST conform to the constraints specified in [MS-XCEP] section 3.1.4.1.3.16. For example, the <group> element value is 1.