[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Help Sought on Netscape Revocation URL causing MS Programs to hang

To: "'Ron Segal'" <ron.segal@xxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang
From: Ryan Hurst <ryanh@xxxxxxxxxxxx>
Date: Wed, 18 Apr 2001 21:04:00 -0700

Ron, Microsoft implements its revocation checking logic in a library called
cryptnet.dll, in this DLL there is an implementation of a function called
CryptVerifyRevocation. When the cryptnet.dll function is registered as a
provider to CryptVerifyRevocation it will be called when a revocation check
is requested. This DLL has had several updates and may or may not have this
behavior in all versions (What version of the OS and service pack are you
running?)

Regardless, there are several ways to work with this issue:

1. Disable revocation checking (which can be done by removing the
problematic CertVerifyRevocation provider in the registry, or at the
application level by telling the application not to check for revocation) --
Not much of a solution I know; but 5 min delay for attempting to retrieve
the CRL is insane.
2. ValiCert has a "Desktop Validator" solution that has an implementation of
the CryptVerifyRevocation call that supports OCSP, SCVP and CRLs. If you
install this plug-in you can configure it to supercede all other revocation
providers. In this configuration you would not be exposed to this problem.
However the shipping version of this product does not support automatically
retrieving CRLs based off of certificate extensions (aka CRLdp and
NetscapeRevocationURL). Instead you must configure either a default
OCSP/SCVP responder or specify a CA specify responder or CRL location. If
you would like to use OCSP we at ValiCert have a responder and the good
folks over at OpenSSL have been working on a implementation as-well.

Hope this helps,

Ryan M. Hurst

-----Original Message-----
From: Ron Segal [mailto:ron.segal@xxxxxxxxxxxxx]
Sent: Wednesday, April 18, 2001 6:59 PM
To: ietf-pkix@xxxxxxx
Subject: Help Sought on Netscape Revocation URL causing MS Programs to
hang


Hi Folks

If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL
extension and a Microsoft program (eg
email or browser) is configured to do automatic CRL Distribution Point
Checking, then the Microsoft program will hang and timeout after about 5
minutes.

Does anybody know of a fix for this problem, e.g. a registry configuration
(no cynicism please!)?

We are aware that if a cert has both the NetscapeRevocationURL and CRL
Distribution Point
extensions, then no problem.

Your help would be greatly appreciated (and maybe you can get a job at
Baycorp!).

Very best regards

Ron

--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand

Mailto: ron.segal@xxxxxxxxxxxxx
Tel:   +64 (4)  499 4231
DD:    +64 (4)  499 4261
Mob:   +64 (21) 678 009
Fax:   +64 (4)  499 4233
Web:   http://www.baycorpid.com

Prev by Date: Help Sought on Netscape Revocation URL causing MS Programs to hang
Next by Date: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments
Previous by thread: Help Sought on Netscape Revocation URL causing MS Programs to hang
Next by thread: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments)
Index(es):
- Date
- Thread