On 02/05/2013 03:10, Sean Leonard wrote: > Can't respond to everything at once, but let me at least try to pick > of the easy ones: > > On 5/1/2013 4:44 PM, Brian Smith wrote: >> Sean Leonard wrote: >>> The Microsoft Windows CryptoAPI stack allows users (and admins) to >>> load CRLs manually, not just via an automated network call during >>> certificate validation. These CRLs are checked by default (indeed, >>> in preference to the network download) if they are present. Admins >>> can push updated CRLs to PCs as well. >> Thanks for correcting my mistake. I did search for this feature, but >> I could not find it. How does one access this feature? > > Run > certmgr.msc > (This opens the "Certificates" MMC component to "Current User") > > Intermediate Certification Authorities > Certificate Revocation Lists > > If you want to store CRLs in other stores, you can open mmc.exe, add > the Certificates component, and choose the user (notably, you can > choose the "Local Computer" store, or the "Service" store). > > To import: it's actually pretty easy. Just right-click on the .crl > file in Explorer, and select "Install CRL". > > Can also use certmgr.exe /CRL with /add, /delete, and /put. (This is > conceptually identical to NSS crlutil that Bob mentioned.) > > Some links: > http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/07a3a4a2-3b86-4d51-8986-b98cc62060e4/ > > http://technet.microsoft.com/en-us/library/cc753863.aspx > http://technet.microsoft.com/en-us/library/cc731638.aspx > http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspx > http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx > http://technet.microsoft.com/en-us/library/cc754877.aspx > > While I did not find a specific pre-configured Group Policy Object to > deploy CRLs, I am sure that something exists. Anyway, it's pretty > easy. Here's the thing. You can just promulgate a batch file to run > certmgr.exe /CRL /add (analogous to NSS crlutil), you can call the > CryptoAPIs (analogous to calling the NSS APIs), or you can add the CRL > to the Registry directory (analogous to editing the cert8.db/cert9.db > database, or, I suppose, calling the PKCS #11 softoken APIs). The > Registry key where those particular CRLs are stored is > HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs. The > subkey is the SHA-1 hash of the CRL. >
There would be a lot of benefit in doing something like that. If enterprise trust could also be imported from the Windows CryptoAPI, that would be two less seams in the transition for a company trying to transition away from IE.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
