5.1.11 Data Consistency for Certificate Templates

It is not possible to achieve all three of the desirable properties of a distributed system:

• Data consistency.

• Application availability.

• Tolerance of network partitions.

Because network partitions are unavoidable, the implementer must sacrifice either data consistency or application availability in the system design.

The Microsoft CA and the client code that requests certificates have chosen to provide application availability and sacrifice data consistency, if a conflict arises. This shows up in a variety of design decisions—including, in particular, the caching of certificate templates.

The design of these systems places data consistency after network partitions are healed. The amount of time needed to reach consistency can be significant (perhaps several hours or days).

If the use of an old certificate template would create a security flaw for the user of this system, methods exist that let the user identify whether the template is up-to-date and, if necessary, retrieve the current template.

When making a request for a certificate to match a particular template, the user can request that template not only by CN but also by OID and by revision number.

The user can, in critical cases, define a new OID for the new template, and retire certificates that were built according to the previous OID. In less-critical cases, the user can wait for Active Directory propagation, as is normal for anything else stored in Active Directory and can expect changes to become fully distributed sometime during that wait period.