[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Help Sought on Netscape Revocation URL causing MS Programs to hang
Hi David
Thanks for your offer to checkout the certificate chain.
Actually a clear explanation has now been offered by free Microsoft
support(unexpectedly rapid and knowedgable service I might add, particularly
as it was a free web query).
It seems that if the revocation check itself is to a secure server (https)
and the server certificate itself has a Nescape revocation extension a
recursive revocation process can occur. Microsoft are providing a partial
fix for this in their new version of Office (XP) by detecting the recursion
and halting the process. If this happens the revocation check will fail to
provide revocation status. The optimum solution is to remove the Netscape
revocation extension from the server certificate.
I'm copying this to the list so that others will see that the problem has
been 'solved', and the solution (please note server cert providers!).
Hope that I did not miss any messages and personally thanked everybody who
responded, at least that was the intention.
Very best regards
Ron
--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand
Mailto: ron.segal@xxxxxxxxxxxxx
Tel: +64 (9) 356 5801
DD: +64 (4) 499 4261
Mob: +64 (21) 678 009
Fax: +64 (9) 356 5818
Web: http://www.baycorpid.com
If you received a warning on reading this email, please go to
<http://www.baycorpid.com/settings/email.asp> to update your settings
-----Original Message-----
From: David Cross [mailto:dcross@xxxxxxxxxxxxx]
Sent: Friday, 20 April 2001 1:39 a.m.
To: Ron Segal; ietf-pkix@xxxxxxx
Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs
to hang
I will pass on the job offer, but have you verified that the URLs are
valid that are listed in the certificate? If the URLs are no longer
valid or cannot be reached, that might explain the behaviour. If you
want to send me the certificate chain (privately), we can take a look at
it.
David B. Cross
-----Original Message-----
From: Ron Segal [mailto:ron.segal@xxxxxxxxxxxxx]
Sent: Wednesday, April 18, 2001 6:59 PM
To: ietf-pkix@xxxxxxx
Subject: Help Sought on Netscape Revocation URL causing MS Programs to
hang
Hi Folks
If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL
extension and a Microsoft program (eg email or browser) is configured to
do automatic CRL Distribution Point Checking, then the Microsoft program
will hang and timeout after about 5 minutes.
Does anybody know of a fix for this problem, e.g. a registry
configuration (no cynicism please!)?
We are aware that if a cert has both the NetscapeRevocationURL and CRL
Distribution Point extensions, then no problem.
Your help would be greatly appreciated (and maybe you can get a job at
Baycorp!).
Very best regards
Ron
--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand
Mailto: ron.segal@xxxxxxxxxxxxx
Tel: +64 (4) 499 4231
DD: +64 (4) 499 4261
Mob: +64 (21) 678 009
Fax: +64 (4) 499 4233
Web: http://www.baycorpid.com
BEGIN:VCARD
VERSION:2.1
N:Segal;Ron
FN:Ron Segal
ORG:Baycorp ID Services
TITLE:Business Development Manager
TEL;WORK;VOICE:+64 4 499 4231
TEL;CELL;VOICE:+64 (021) 678009
TEL;WORK;FAX:64 4 499 4233
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Level 1=0D=0ALandcorp House=0D=0A101 Lambton Quay=0D=0APO Box 5052;Welling=
ton;;;New Zealand
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Level 1=0D=0ALandcorp House=0D=0A101 Lambton Quay=0D=0APO Box 5052=0D=0AWell=
ington=0D=0ANew Zealand
URL:
URL:http://www.baycorpid.com
KEY;X509;ENCODING=BASE64:
MIIGdzCCBV+gAwIBAgIEOhwthjANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJOWjEgMB4G
A1UEChMXQmF5Y29ycCBJRCBTZXJ2aWNlcyBMdGQxGTAXBgNVBAsTEEJheWNvcnAgUGFzc3Bv
cnQxLzAtBgNVBAMTJkJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTAwMTEyMjIwMzMxMFoXDTAxMTEyNzIwMzMxMFowfDELMAkGA1UEBhMCTloxCjAIBgNVBAgT
AS0xEzARBgNVBAcTCldlbGxpbmd0b24xEDAOBgNVBAoTB0JheWNvcnAxEjAQBgNVBAMTCVJv
biBTZWdhbDEmMCQGCSqGSIb3DQEJARYXcm9uLnNlZ2FsQGJheWNvcnBpZC5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBANRQxdVFIMgxT5W45/I5HSGKPCCKfijydisE8fhqc/uh
Vqn9wE+CwCMJKKgUM5pH3g+ZyTbBKjctkSDOcmuN2aNGm1EPZq1xORI6byWmd6S9jb5/I2vt
IeqhWQC3MuVhrBFFuOsu1JBiGLmxaHg71ti/b97q50zA/hIOgDAuixtfAgMBAAGjggOEMIID
gDAiBgkrBgEEAZtYAAEEFRYTUm9uYWxkIFNhbXVlbCBTZWdhbDAOBgNVHQ8BAf8EBAMCA/gw
UQYDVR0lBEowSAYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwUGCCsG
AQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDBDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
d3d3LmJheWNvcnBpZC5jb20vY3JsL3Bhc3Nwb3J0LmNybDAZBgNVHQkEEjAQMA4GA1UEBDEH
EwVTZWdhbDAiBgNVHREEGzAZgRdyb24uc2VnYWxAYmF5Y29ycGlkLmNvbTCCAfIGA1UdIASC
AekwggHlMIIB4QYMKwYBBAGbWAIBAgECMIIBzzCCAZoGCCsGAQUFBwICMIIBjBqCAYhUaGUg
cmlnaHRzLCBvYmxpZ2F0aW9ucyBhbmQgbGlhYmlsaXRpZXMgb2YgdGhlIFN1YmplY3QsIEJh
eWNvcnAgSUQgU2VydmljZXMgYW5kIGFueSByZWx5aW5nIHBhcnR5IGFyZSBzcGVjaWZpZWQg
aW4gdGhlIEJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGlvbiBQcmFjdGlzZSBTdGF0ZW1l
bnQuIFlvdSBtdXN0IGVuc3VyZSB0aGF0IHRoaXMgY2VydGlmaWNhdGUgaXMgbm90IHN1c3Bl
bmRlZCBvciByZXZva2VkOyBjb21wbHkgd2l0aCB0aGUgc3BlY2lmaWNhdGlvbnMgaW4gaXRz
IEtleSBVc2FnZSBmaWVsZDsgYWRoZXJlIHRvIEJheWNvcnAgSUQgU2VydmljZXMnIFByaXZh
Y3kgUG9saWN5LiBGdXJ0aGVyIGRldGFpbCBpcyBhdmFpbGFibGUgZnJvbSBCYXljb3JwIElE
IFNlcnZpY2VzOjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5iYXljb3JwaWQuY29tL3JlcG9z
aXRvcnkwOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vY2VydHN0YXR1cy5i
YXljb3JwaWQuY29tMB8GA1UdIwQYMBaAFHlNfEwOah9O+VNsNHtQxa6cxvR+MB0GA1UdDgQW
BBSQs4oU5iFIMqGm5FFzDKWqV0NDlzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCM
mcZU4Svrle0oqf8/r080V7/KW/7aaoYk//s161jKoWUs7WfmZzbyOgUQPeIuzk3bqfD9xN2E
kfDkaMiPDg5xZ8O/WKnzV2CLYDZrgyoFZ/o0ol+g1akXdAsgp3U73wk8kc7PfcpttSAQy7Mc
78Ej+kaU1TUcyaqsJU6+cryb0EfixPosZpUgx8SZcx+KuRej5ZGHk0zCCsVWNS91noMlkN95
ZP5fkzReeX2xrFmVfqTNawYBywrrvY4ULADRAVFrbqU4h2152KZKsALEpSFZqntLZlR8izqA
dz/8d+u0KwTLkSPRJiWemL2iyFkU5H6qQoOLuLEQCQiRNxiblLlI
EMAIL;PREF;INTERNET:ron.segal@xxxxxxxxxxxxx
REV:20010130T034848Z
END:VCARD