[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Online Certificate Revocation Protocol

To: "'Tony Bartoletti'" <azb@xxxxxxxx>, pgut001@xxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx, marcnarc@xxxxxxxxxxxxxxx
Subject: RE: Online Certificate Revocation Protocol
From: Hal Lockhart <hal.lockhart@xxxxxxxxxxxxx>
Date: Wed, 13 Jun 2001 16:49:19 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> Does this relate to why the "emergency CRL" published after the bogus 
> Microsoft code-signing certs were issued was not a "real CRL"?  I 
> understood that Microsoft supported one form of "CRL 
> mechanism" while they 
> routinely employed certificates incompatible with that 
> mechanism, and that 
> was the reason they cold not "just revoke" the (bad) 
> certificates that were 
> issued.

According to this:

http://amug.org/~glguerin/opinion/revocation.html

the problem is that Microsoft software will only find CRLs specified in the
CRL Distribution Point extension in the certificate. Verisign does not use
this method. Since the use of this field is optional and Versign has been
operating since before the field was even defined, it is debatable who is to
blame for this situation.

Apparently Micorsoft's "fix" was to hotwire a special CRL, containing just
these two certs into their products.

Hal

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: Re: Online Certificate Revocation Protocol
Previous by thread: RE: Online Certificate Revocation Protocol
Next by thread: Re: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread