Wooce --
Outlooks support of revocation checking is done through CrptoAPI,
see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/WinXPPro/support/tshtcrl.asp to better understand how chaining and status
determination is done.
As for its OCSP support, the answer is no it only supports CRL
checking and only when the cert has a CRLdp extension in it. ValiCert has
developed a revocation provider that can either replace or augment the
existing revocation handling for CryptoAPI. It adds support for OCSP, SCVP,
CRL, and CRL deltas. Additionally it provisions for creating a validation
profile for a CA so even if a certificate does not contain a pointer to
revocation information you as an administrator/user can set one. The product
is called the ValiCert Desktop Validator.
Ryan
-----Original Message-----
From: wooce [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 6:58 PM
To: [EMAIL PROTECTED]
Subject: Re: questions about CRL check
Thanks to Leon and Juan.
Maybe it should be OCSP(Online certificate status protocol) instead of OSPF.
When choose "Tools"->"Options"->"Security"->"Advanced" in Outlook Express,
There's an option about
revocation checking, you can choose between "only when online" or "never".
If you choose "only when online",
then when a signed mail was received by Outlook Express, the certificate
in the mail will be check about whether
it's already revoked. How Outlook Express can perform this task? Does
Outlook express use OCSP protocol
to get real-time CRL list for the revocation checking task?
And there exists a CRL distribution points extension(CDP) in X.509 v3
certificate, The CDP extension identifies
how CRL information is obtained(see RFC2459).
See below:
cRLDistributionPoints ::= {
CRLDistPointsSyntax }
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER}
uniformResourceIdentifier can contain the LDAP URL infomation of the CRL
issuer.
So although a certificate don't contain a CRL, I still have question:
When an application written by me
(act as a secure mail client) receive a signed mail and if it would check
the certificate in the mail has already
been revoked by CA, does the CDP extension in the certificate give enough
information(such as LDAP URL)
for my application to retrieve the latest CRL from the LDAP server of CA?
Or else how can my secure email client
obtain the latest CRL list from CA on a regular periodic basis (e.g.,
hourly, daily, or weekly) to make the client more
secure?
have a nice day!
Wooce
----- Original Message -----
From: "ZILBER,LEONID (HP-NewJersey,ex1)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 21, 2001 10:58 AM
Subject: RE: questions about CRL check
> X.509 certificate does NOT contain ANYTHING related to CRL.
>
> but X.509 contains a serial number which WILL be included in VeriSign
issued
> CRL list in case the certificate was revoked.
>
> http://onsitecrl.verisign.com/ in the site where you can check if you
> certificate was revoked.
>
> put serial number of revoked certificate and you will see it in the list.
>
> I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you
> also can use OSPF (smth like this) protocol to get real-time CRL list.
>
> Hope this helps!
> Leon
>
> -----Original Message-----
> From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 21, 2001 1:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: questions about CRL check
>
>
> It seems like there's a problem in concepts, a certifcate cannot
> contain a
> CRL, but a CRL can contain one or more certificates. Considering that,
> a
> certificate cannot even be sure to be contained in a CRL, that can only
> known by checking the CRL. Regarding your second question, a
> certificate
> cannot get a CRL, that's a CA job, the CA defines how often the CRL
> will be
> available, so you need to do this manually.
>
> i hope it helps, bye.
>
> Juan Carlos Albores Aguilar
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, November 20, 2001 8:49 PM
> Subject: questions about CRL check
>
>
> > Hi,
> >
> > 1. Does a X.509 certificate be sure to contain a certification
> revocation list?
> > 2. If a X.509 certificate contains a CRL, is there an interface
> defined
> in
> > it on how to get the latest CRL from CA to replace the current CRL?
> Any RFC defined it?
> >
> > Thank you and have a nice day.
> >
> > Sincerely,
> > Wooce
> >
> >
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
