Re: fun with CRLs!

2004-03-31 Thread Peter Gutmann 
/. is reporting this, anyone know the real story?

The CryptoAPI list has been lit up end to end with mail about this.  The
summary from one poster (Tim Anderson [EMAIL PROTECTED]) is:

  IE5.x's digital signature expired yesterday. Every computer that uses
  WinVerifyTrust now has to have the verify publisher certificate dealy
  unchecked or the WinVerifyTrust call takes upwards of 5 minutes to complete.

The fix, as for the We're from Microsoft, give us a certificate fiasco of
two years ago, is an OS update from Microsoft to replace the certs.  Further
patches will be in Win2K SP5 and WinXP SP2.

ObSnideComment: It's a good thing 99.99% of PKI use is just window dressing,
  imagine if people were basing things like electronic funds transfers on
  technology as brittle as this: Please wait 5 minutes for the server to time
  out so your funds can become available.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

fun with CRLs!

2004-01-09 Thread Perry E. Metzger 

/. is reporting this, anyone know the real story?

  Verisign Certificate Expiration Causes Multiple Problems

  Posted by michael on Thursday January 08, @03:46PM
  from the rot-at-the-root dept.
  We had to do a little sleuthing today. Many readers wrote in with
  problems that turned out to be related. A certificate which Verisign
  used for signing SSL certificates has expired. When applications which
  depend on that certificate try to make an SSL connection, they fail
  and try to access crl.verisign.com, the certificate revocation list
  server. This has effectively DOS'ed that site, and Verisign has now
  updated the DNS record for that address to include several
  non-routable addresses, reducing the load on their servers. Some
  applications affected include older Internet Explorer browsers, Java,
  and Norton Antivirus (which may manifest itself as Microsoft Word
  being very slow to start). Hope this helps a few people, and if you
  have other apps with problems, please post about them below.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]