[19877] in bugtraq
CRLs (was Re: Verisign certificates problem
daemon@ATHENA.MIT.EDU (Michael Reilly)
Wed Mar 28 00:05:59 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <NDBBILGMDJCMOAOEPNBEMEAIHKAA.michaelr@cisco.com>
Date: Tue, 27 Mar 2001 15:45:28 -0800
Reply-To: Michael Reilly <michaelr@CISCO.COM>
From: Michael Reilly <michaelr@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
>>Actually checking most of the CA certificates shipped with IE less than
>>half have a CPD field.
How many of those certs are self signed root certs? A CDP in a self signed
root cert is, obviously, useless since the revoked cert contains the key
used to sign the CRL. The fact that the cert is revoked means that anything
signed by the public key (including the CRL) contained in that cert is
suspect if it was signed after the cert was revoked.
>>That I know of, Entrust.net, SITA, and EQUANT all have functioning CRLs
(They
>>use CDP's for slightly more efficient handling of large CRLs)
Verisign also has functioning CRLs. Some of their customers use them and
some do not. I do not know what Verisign's policy is regarding a CDP in a
cert they issue.
Verisign did not use the OPTIONAL CDP extension until recently.
To me, Microsoft should be responsible for their code which disables CRL
checking and which makes it hard to even determine that CRL checking is
disabled. Note that Microsoft's IPSec implementation in Windows 2000 also
does not check CRLs by default.
michael
