[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: (U) (U//FOUO) Flushing the CRL from memory too
From: Joe Steele <steele () ADOBE ! COM>
Date: 2003-02-19 19:44:44
[Download RAW message or body]
Thanks for the good ideas. Unfortunately I can't use them for my
situation.
I can't unload the dll or recreate all my contexts, since I may have
contexts which have been authenticated and which I do not want to force
the user to re-authenticate to every time I build a chain.
As far as expiring the CRLs more frequently, the issue is not that I
want to issue CRLs frequently (I do not), but that if I do issue one I
want it to take affect ASAP.
I agree with you as far as OCSP goes, but again that is not something I
control. I am limited to what comes with Windows, which is CRL-based
revocation.
Thanks again though. If you think of anything else, please let me know!
Joe
> -----Original Message-----
> From: Microsoft Cryptographic API
> [mailto:CryptoAPI@DISCUSS.MICROSOFT.COM] On Behalf Of David L
> Sent: Wednesday, February 19, 2003 6:25 AM
> To: CryptoAPI@DISCUSS.MICROSOFT.COM
> Subject: Re: (U) (U//FOUO) Flushing the CRL from memory too
>
> I never actually tried to do this, but it is worth trying to
> bin every context you have and recreate them. SSL sessionIDs
> for example are associated with the Crediatials used to
> negotiate the handshake. As a last resort, you may want to
> try unloading the SChannel library itself.
>
> All these are hacks though. In reality, this is simply
> functionality which MS have no reason to support. If you
> want to issue CRLs regularly you should simply make them
> expire often! Have a look at delta CRL support or (if your
> requirements are strict) maybe CRLs aren't the solution for
> you, OCSP (online certificate service provider) provides a
> URL to which you can request the current revocation status of
> any certificate serial number. This isn't included by
> default in SChannel, though.
>
> Good luck!
>
> DDD
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic