[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-capicom
Subject: Re: Verify CRL issuer
From: Robert Rolls <Robert.Rolls () DEVNET ! ATO ! GOV ! AU>
Date: 2003-03-19 21:50:27
[Download RAW message or body]
I have a very limited understanding of CRL as you've probably gathered
by my original posting; If I call CertCreateCRLContext what checking
does it do? What information do I need to extract is there a thumb print
or something within?
-----Original Message-----
From: Michel Gallant (MVP) [mailto:neutron@ISTAR.CA]
Sent: Thursday, 20 March 2003 7:54 AM
To: CAPICOM@DISCUSS.MICROSOFT.COM
Subject: Re: Verify CRL issuer
Yes, that makes sense. Obviously since crls are based on pkcs standards,
any
signature would have to be cross-platform .. thinking too much of
Authenticode :-(.
So any platform that supports CRLs would need to validate the internal
signature information.
On Win32, I gather that opening a .crl file with default association:
rundll32.exe cryptext.dll,CryptExtOpenCRL %1
will indicate if the signature therein is by cert issued by trusted CA?
Thanks,
- Mitch
"Ryan M. Hurst" wrote:
CRLs are not signed using Authenticode/PKCS7/CMS messages; they
are signed in the same way certificates are so I am not sure I
understand this statement.
As for the original question, I suggest not dealing with CRLs
directly let CryptoAPI/CAPICOM do this for you just request that
revocation checking be done when you perform your chain validation.
Ryan
-----Original Message-----
From: Michel Gallant (MVP) [mailto:neutron@ISTAR.CA]
Sent: Wednesday, March 19, 2003 7:10 AM
To: CAPICOM@DISCUSS.MICROSOFT.COM
Subject: Re: Verify CRL issuer
This may not be correct. It looks like crl files don't support
authenticode
signatures:
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/aut
hcode/signing.asp
and after looking at some of VeriSign crls at:
http://www.verisign.com/repository/crl.html
none are (Authenticode) signed and they can't be signed with
signcode.exe.
Not sure how within PKI you authenticate crls. Perhaps there is
a signed cat
file containing hashes of each crl file? I guess one of the
issues is that crl files
have to change dynamically as entries are added.
- Mitch
"Michel Gallant (MVP)" wrote:
Same issue as verifying who issued any regular
certificate. The CRL should
be signed itself (also, CAT file are also signed). It
will boil down to the
list of trusted CAs in the Root store.
- Mitch
Robert Rolls wrote:
How can I verify that the issuer name is the
person who actually issued the CRL? I download a CRL from the internet
presumably issued by Telstra but how can I verify this?
Robert.
[Attachment #3 (text/html)]
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.emailstyle17
{font-family:Arial;
color:windowtext;}
span.emailstyle19
{font-family:Arial;
color:navy;}
span.EmailStyle20
{font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I have a very limited understanding of CRL
as you’ve probably gathered by my original posting; If I call \
CertCreateCRLContext what checking does it do? What information do I need to extract \
is there a thumb print or something within?</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 face=Tahoma><span
lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>-----Original
Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Michel Gallant (MVP)
[mailto:neutron@ISTAR.CA] <br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 \
face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>Thursday, \
20 March 2003</span></font><font size=2 face=Tahoma><span lang=EN-US \
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font size=2 \
face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>7:54 \
AM</span></font><font size=2 face=Tahoma><span lang=EN-US style='font-size: \
10.0pt;font-family:Tahoma'><br> <b><span style='font-weight:bold'>To:</span></b> \
CAPICOM@DISCUSS.MICROSOFT.COM<br> <b><span \
style='font-weight:bold'>Subject:</span></b> Re: Verify CRL issuer</span></font></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Yes, that
makes sense. Obviously since crls are based on pkcs standards, any <br>
signature would have to be cross-platform .. thinking too much of Authenticode
> -(. <br>
So any platform that supports CRLs would need to validate the internal
signature information. </span></font></p>
<p style='margin-left:36.0pt'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>On Win32, I gather that opening a .crl file
with default association: <br>
rundll32.exe cryptext.dll,</span>CryptExtOpenCRL</font> <span
lang=EN-US>%1 <br>
will indicate if the signature therein is by cert issued by trusted CA? </span></p>
<p style='margin-left:36.0pt'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>Thanks, <br>
- Mitch </span></font></p>
<p style='margin-left:36.0pt'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>"Ryan M. Hurst" wrote: \
</span></font></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt' TYPE=CITE>
<div>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 color=navy
face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial;
color:navy'>CRLs are not signed using Authenticode/PKCS7/CMS messages; they are
signed in the same way certificates are so I am not sure I understand this
statement.</span></font></p>
</div>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 color=navy
face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial;
color:navy'>As for the original question, I suggest not dealing with CRLs
directly let CryptoAPI/CAPICOM do this for you just request that revocation
checking be done when you perform your chain validation.</span></font><span
lang=EN-US> </span></p>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 color=navy
face=Arial><span lang=EN-US style='font-size:10.0pt;font-family:Arial;
color:navy'>Ryan</span></font><span lang=EN-US> </span></p>
<p class=MsoNormal style='margin-left:72.0pt'><font size=2 face=Tahoma><span
lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>-----Original
Message----- <br>
<b><span style='font-weight:bold'>From:</span></b> Michel Gallant (MVP) [<a
href="mailto:neutron@ISTAR.CA">mailto:neutron@ISTAR.CA</a>] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, March 19, 2003
7:10 AM <br>
<b><span style='font-weight:bold'>To:</span></b> CAPICOM@DISCUSS.MICROSOFT.COM <br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: Verify CRL \
issuer</span></font><span lang=EN-US> </span></p>
<p class=MsoNormal style='margin-left:72.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>This may not be correct.
It looks like crl files don't support authenticode <br>
signatures: <br>
<a
href="http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/si \
gning.asp">http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp</a>
<br>
and after looking at some of VeriSign crls at: <br>
<a href="http://www.verisign.com/repository/crl.html">http://www.verisign.com/repository/crl.html</a>
<br>
none are (Authenticode) signed and they can't be signed with
signcode.exe. </span></font> </p>
<p style='margin-left:72.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Not sure how within PKI you authenticate crls. Perhaps
there is a signed cat <br>
file containing hashes of each crl file? I guess one of the issues is that crl
files <br>
have to change dynamically as entries are added. <br>
- Mitch </span></font></p>
<p style='margin-left:72.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>"Michel Gallant (MVP)" wrote: </span></font>
</p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt' TYPE=CITE>
<div style='margin-left:36.0pt'>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Same issue as verifying
who issued any regular certificate. The CRL should</span></font></p>
</div>
<p class=MsoNormal style='margin-left:36.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
be signed itself (also, CAT file are also signed). It will boil down to the <br>
list of trusted CAs in the Root store. <br>
- Mitch </span></font> </p>
<p style='margin-left:72.0pt'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Robert Rolls wrote: </span></font> </p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt' TYPE=CITE>
<div style='margin-left:36.0pt'>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>How can I verify that the issuer
name is the person who actually issued the CRL? I download a CRL from the
internet presumably issued by Telstra but how can I verify this?</span></font></p>
</div>
<div style='margin-left:36.0pt'>
<p class=MsoNormal style='margin-left:36.0pt'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Robert.</span></font></p>
</div>
</blockquote>
</blockquote>
</blockquote>
</div>
</body>
</html>
�
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic