|
|
BugTraq
Windows doesn't verify digital signature of CRL files Aug 09 2004 02:31PM Faro Poplar (faropoplar yahoo com) (1 replies) Re: Windows doesn't verify digital signature of CRL files Aug 10 2004 07:32AM Thomas Walpuski (thomas-bugtraq unproved org) (2 replies) Re: Windows doesn't verify digital signature of CRL files Aug 10 2004 06:07PM Valdis Kletnieks vt edu Re: Windows doesn't verify digital signature of CRL files Aug 10 2004 04:07PM Neil Gierman (ngierman roadrunn com) (2 replies) Re: Windows doesn't verify digital signature of CRL files Aug 10 2004 06:40PM Thomas Walpuski (thomas-bugtraq unproved org) Re: Windows doesn't verify digital signature of CRL files Aug 10 2004 06:25PM Jack Lloyd (lloyd randombit net) (1 replies) |
|
Privacy Statement |
> If Windows is not checking the signature, not only can you remove or alter
> revocations, you can also add ones.
Microsoft's CryptoAPI does check the CRL's signature. It just does not
check it on retrieval, but in the process of verifying certificates.
> Oddly, I couldn't find any language in RFC 3280 that actually requires
> verifying the signature in a CRL. Strange.
RFC 3280, 6.3.3 CRL Processing:
For each distribution point (DP) in the certificate CRL distribution
points extension, for each corresponding CRL in the local CRL cache,
while ((reasons_mask is not all-reasons) and (cert_status is
UNREVOKED)) perform the following:
[..]
(f) Obtain and validate the certification path for the complete CRL
issuer. If a key usage extension is present in the CRL issuer's
certificate, verify that the cRLSign bit is set.
(g) Validate the signature on the complete CRL using the public key
validated in step (f).
That's almost exactly what Microsoft's CryptoAPI does.
Thomas Walpuski
[ reply ]