[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    CTL....
From:       Jayant Sane <jayant () FRONTIERTECH ! COM>
Date:       2000-03-24 16:16:20
[Download RAW message or body]


I have been some questions regarding CTL handling in general and
particularly how OE5 does it.

Configuration details:
Win98
IE 5.00.2919.6307
OE 5.00.2919.6600

Various cert store contents (HKEY CurrentUser leg):
My: test certificate issued by testCA (setup internally)
Root: TestCA certificate (apart from others)
Trust: CTL signed by Trust List Signer certifciate

*Note:
1. The "Trust List Signer" certificate is NOT present in Root store
2. The test certificate is not listed in the CTL.

Should/Would verification of a message signed by the test certificate
succeed? OE do not complain.

Possibility #1
I would think no if the CTL checking happens in following manner:
Check if CTL present
If yes, check if it is good and signed by something trusted
If the CTL signer is not "trusted", stop -- we have a problem

Possibility #2
While it can succeed if CTL checking is done in this manner:
Check if CTL is present
If yes, check if the signer certificate in question is listed as good/bad in
it
If not listed at all, fine --- continue with rest of verification
If yes, then check if CTL is good & signed by something trusted (in the root
store)

But of the above, the later appears un-intuitive. Which one is right or what
is the correct way of checking if neither?

rgds
-Jayant

----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]