[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: (U) (U//FOUO) Flushing the CRL from memory too
From:       Joe Steele <steele () ADOBE ! COM>
Date:       2003-02-19 19:44:44
[Download RAW message or body]

Thanks for the good ideas. Unfortunately I can't use them for my
situation.

I can't unload the dll or recreate all my contexts, since I may have
contexts which have been authenticated and which I do not want to force
the user to re-authenticate to every time I build a chain.

As far as expiring the CRLs more frequently, the issue is not that I
want to issue CRLs frequently (I do not), but that if I do issue one I
want it to take affect ASAP.

I agree with you as far as OCSP goes, but again that is not something I
control. I am limited to what comes with Windows, which is CRL-based
revocation.

Thanks again though. If you think of anything else, please let me know!

Joe

> -----Original Message-----
> From: Microsoft Cryptographic API
> [mailto:CryptoAPI@DISCUSS.MICROSOFT.COM] On Behalf Of David L
> Sent: Wednesday, February 19, 2003 6:25 AM
> To: CryptoAPI@DISCUSS.MICROSOFT.COM
> Subject: Re: (U) (U//FOUO) Flushing the CRL from memory too
>
> I never actually tried to do this, but it is worth trying to
> bin every context you have and recreate them.  SSL sessionIDs
> for example are associated with the Crediatials used to
> negotiate the handshake.  As a last resort, you may want to
> try unloading the SChannel library itself.
>
> All these are hacks though.  In reality, this is simply
> functionality which MS have no reason to support.  If you
> want to issue CRLs regularly you should simply make them
> expire often!  Have a look at delta CRL support or (if your
> requirements are strict) maybe CRLs aren't the solution for
> you, OCSP (online certificate service provider) provides a
> URL to which you can request the current revocation status of
> any certificate serial number.  This isn't included by
> default in SChannel, though.
>
> Good luck!
>
> DDD

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]