[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Help Sought on Netscape Revocation URL causing MS Programs to hang
Hi Ron
Sorry for the confusion, it is fixed in Windows XP. Revocation handling
is done as part of CryptoAPI which is an OS component.
Trevor
-----Original Message-----
From: Ron Segal [mailto:ron.segal@xxxxxxxxxxxxx]
Sent: Thursday, April 19, 2001 2:32 PM
To: David Cross
Cc: ietf-pkix@xxxxxxx
Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs
to hang
Hi David
Thanks for your offer to checkout the certificate chain.
Actually a clear explanation has now been offered by free Microsoft
support(unexpectedly rapid and knowedgable service I might add,
particularly
as it was a free web query).
It seems that if the revocation check itself is to a secure server
(https)
and the server certificate itself has a Nescape revocation extension a
recursive revocation process can occur. Microsoft are providing a
partial
fix for this in their new version of Office (XP) by detecting the
recursion
and halting the process. If this happens the revocation check will fail
to
provide revocation status. The optimum solution is to remove the
Netscape
revocation extension from the server certificate.
I'm copying this to the list so that others will see that the problem
has
been 'solved', and the solution (please note server cert providers!).
Hope that I did not miss any messages and personally thanked everybody
who
responded, at least that was the intention.
Very best regards
Ron
--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand
Mailto: ron.segal@xxxxxxxxxxxxx
Tel: +64 (9) 356 5801
DD: +64 (4) 499 4261
Mob: +64 (21) 678 009
Fax: +64 (9) 356 5818
Web: http://www.baycorpid.com
If you received a warning on reading this email, please go to
<http://www.baycorpid.com/settings/email.asp> to update your settings
-----Original Message-----
From: David Cross [mailto:dcross@xxxxxxxxxxxxx]
Sent: Friday, 20 April 2001 1:39 a.m.
To: Ron Segal; ietf-pkix@xxxxxxx
Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs
to hang
I will pass on the job offer, but have you verified that the URLs are
valid that are listed in the certificate? If the URLs are no longer
valid or cannot be reached, that might explain the behaviour. If you
want to send me the certificate chain (privately), we can take a look at
it.
David B. Cross
-----Original Message-----
From: Ron Segal [mailto:ron.segal@xxxxxxxxxxxxx]
Sent: Wednesday, April 18, 2001 6:59 PM
To: ietf-pkix@xxxxxxx
Subject: Help Sought on Netscape Revocation URL causing MS Programs to
hang
Hi Folks
If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL
extension and a Microsoft program (eg email or browser) is configured to
do automatic CRL Distribution Point Checking, then the Microsoft program
will hang and timeout after about 5 minutes.
Does anybody know of a fix for this problem, e.g. a registry
configuration (no cynicism please!)?
We are aware that if a cert has both the NetscapeRevocationURL and CRL
Distribution Point extensions, then no problem.
Your help would be greatly appreciated (and maybe you can get a job at
Baycorp!).
Very best regards
Ron
--------------
Ron Segal
Business Development Manager
Baycorp ID Services Ltd
PO Box 5052, Wellington, New Zealand
Mailto: ron.segal@xxxxxxxxxxxxx
Tel: +64 (4) 499 4231
DD: +64 (4) 499 4261
Mob: +64 (21) 678 009
Fax: +64 (4) 499 4233
Web: http://www.baycorpid.com