[19830] in bugtraq
Re: Verisign certificates problem
daemon@ATHENA.MIT.EDU (Elias Levy)
Sat Mar 24 03:42:51 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010323131618.F9438@securityfocus.com>
Date: Fri, 23 Mar 2001 13:16:18 -0700
Reply-To: aleph1@SECURITYFOCUS.COM
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Sadly, Thawte (which was purchased by Versign and is supposed to be the
second largest CA) does not include a CPD field in their server certificates
either.
Actually checking most of the CA certificates shipped with IE less than
half have a CPD field. Of the big CA only Entrust seems to use the field.
On the plus side if you use IE and go into Internet Options -> Advanced
-> Security and check the boxes next to "Check for publisher's certificate
revocation" and "Check for server certificate revocation" then you
will get a warning. IE won't pop up the warning when you visit a site
with a certificate without a CPD field but if you click on the lock
and bring up the certificate window you will see the following text:
"Windows cannot determine the validity of this certificate because it
cannot locate a valid certificate revocation list from the certificate
authority that issued this certificate."
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
