Bugtraq mailing list archives
CRLs (was Re: Verisign certificates problem
From: Michael Reilly <michaelr () CISCO COM>
Date: Tue, 27 Mar 2001 15:45:28 -0800
Actually checking most of the CA certificates shipped with IE less than half have a CPD field.
How many of those certs are self signed root certs? A CDP in a self signed root cert is, obviously, useless since the revoked cert contains the key used to sign the CRL. The fact that the cert is revoked means that anything signed by the public key (including the CRL) contained in that cert is suspect if it was signed after the cert was revoked.
That I know of, Entrust.net, SITA, and EQUANT all have functioning CRLs
(They
use CDP's for slightly more efficient handling of large CRLs)
Verisign also has functioning CRLs. Some of their customers use them and some do not. I do not know what Verisign's policy is regarding a CDP in a cert they issue. Verisign did not use the OPTIONAL CDP extension until recently. To me, Microsoft should be responsible for their code which disables CRL checking and which makes it hard to even determine that CRL checking is disabled. Note that Microsoft's IPSec implementation in Windows 2000 also does not check CRLs by default. michael
Current thread:
- CRLs (was Re: Verisign certificates problem Michael Reilly (Mar 27)