Re: Verisign CRL single point of failure
Verisign incorrectly built the new certificate causing every SSL access on IE 5.x to request a new CRL (700k) on every single SSL access. This has been fixed, a new udated cert is available and the CRL storm is abating. See the versign site for more details on what they did to fix the problem, but nothing of course on what they did wrong. Note that two separte certs expired at the same time so there were two competing DOS attacks simultaneously. hth ..tom Can someone explain to me why the expiring of a certificate causes new massive CRL queries? /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Any good books or URLs for WinXP crypto security?
Securing Mobile Computers with Windows XP Professional This article examines specific threats that can affect mobile computers, including how security tools and privacy services included in the Windows XP Professional operating system provide solutions to combat these threats. http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/mblsecxp.asp hth ..tom I am looking for good books and/or URLs on the best practices for securing a standalone laptop running WinXP. How should the built-in crypto be configured? Is the built-in crypto worth using or is there an add-on product that is much better? Is there any public review of the built-in crypto design? I am very familiar with the CryptoAPI and CSP layers, but not the file/folder/partition layers. Where is a good checklist of service to turn off and things to configure carefully? Yes, I know that a custom Linux system would be better, but that is not an option. --Bob Baldwin Partner, Plus Five Consulting, Inc. [EMAIL PROTECTED], voice fax: 1-650-852-9675 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Internal format of RSA private keys in microsoft keystore.
key containers in MS are encrypted. there is a capi m/l to be found at http://discuss.microsoft.com/archives/index.html ..tom Greetings, In the process of trying to work around some of the limitations of the m$-CAPI API, I'm trying to decipher the internal representation of private keys in the default m$ key store, in order to extract the private key out. The systems I'm working on are Win2K and XP, both on NTFS. Google didn't give me much. Has anyone been able to figure out the format of private key files? You can have a look at C:/Documents and Settings/username/Application Data/Microsoft/ Crypto/RSA/*/filename I'm trying this because CryptAcquireContext() dies with the error NTE_BAD_KEYSET half the time. This is supposed to indicate that the key container doesn't exist or it could be corrupted. At this point I'm trying to see if the files are in good shape by reading them out. Having come from a Unix world, there may be something obvious I'm missing out, so please have patience :) Thanks, Sriram. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]