Can't respond to everything at once, but let me at least try to pick of
the easy ones:
On 5/1/2013 4:44 PM, Brian Smith wrote:
Sean Leonard wrote:
Brian Smith wrote:
The "Revocation Lists" feature allows a user to configure Firefox
to poll the CAs server on a regular interval. As far as I know,
Firefox is the only browser to have such a feature. Other browser
either ignore CRLs completely or download CRLs on an "as needed"
basis based on a URL embedded in the certificate.
This is not true.
The Microsoft Windows CryptoAPI stack allows users (and admins) to
load CRLs manually, not just via an automated network call during
certificate validation. These CRLs are checked by default (indeed,
in preference to the network download) if they are present. Admins
can push updated CRLs to PCs as well.
Thanks for correcting my mistake. I did search for this feature, but I could
not find it. How does one access this feature?
Run > certmgr.msc
(This opens the "Certificates" MMC component to "Current User")
Intermediate Certification Authorities > Certificate Revocation Lists
If you want to store CRLs in other stores, you can open mmc.exe, add the
Certificates component, and choose the user (notably, you can choose the
"Local Computer" store, or the "Service" store).
To import: it's actually pretty easy. Just right-click on the .crl file
in Explorer, and select "Install CRL".
Can also use certmgr.exe /CRL with /add, /delete, and /put. (This is
conceptually identical to NSS crlutil that Bob mentioned.)
Some links:
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/07a3a4a2-3b86-4d51-8986-b98cc62060e4/
http://technet.microsoft.com/en-us/library/cc753863.aspx
http://technet.microsoft.com/en-us/library/cc731638.aspx
http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754877.aspx
While I did not find a specific pre-configured Group Policy Object to
deploy CRLs, I am sure that something exists. Anyway, it's pretty easy.
Here's the thing. You can just promulgate a batch file to run
certmgr.exe /CRL /add (analogous to NSS crlutil), you can call the
CryptoAPIs (analogous to calling the NSS APIs), or you can add the CRL
to the Registry directory (analogous to editing the cert8.db/cert9.db
database, or, I suppose, calling the PKCS #11 softoken APIs). The
Registry key where those particular CRLs are stored is
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs. The
subkey is the SHA-1 hash of the CRL.
-Sean
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
