Re: Detailed description of Crypto API changes in MS04-011 available??

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 08/03/04


Date: Tue, 3 Aug 2004 05:13:44 -0700

We are working on an updated version of this paper which will include all
the MS04-011 updates, but unfortunately it is not yet ready.

http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Christian Swoboda" <e9025902@stud2.tuwien.ac.at> wrote in message
news:53682b9d.0408030215.4e364a44@posting.google.com...
> Hi there!
>
> I know it seems a bit late ;-) but since I'm writing a paper about
> "Web Authentication with Client Certificates" and my company uses
> this authentication since 2001 I would like to know if there's
> a detailed description of Crypto API changes which came with
> the patch MS04-011 (especially the changes related to clients
> certificates and CRL checking).
>
> We are using Windows 2000 Server with the latest SPs and patches
> (also since 2001) and IIS 5 (obviously ;-)
>
> Here are a few things I found out so far:
>
> - Before this patch client certificates with a (specific) faulty CDP
>   were NOT seen as revoked from IIS 5 !! This lead to the effect, that
>   before the patch these certificates were accepted by IIS and after
>   the patch they were rejected (even ones NOT on the CRL!)
>   [e.g. If the only CDP entry is LDAP but the Address is missing, the
>         CRL was not checked]
>
> - The CRL-cache directory for IIS has changed from
>   "C:\Documents and Settings\Default User\Local Settings\
>      Temporary Internet Files"
>   to
>   "C:\Documents and Settings\Default User\Application Data\
>      Microsoft\CryptNetUrlCache"
>
>   You can verify this easily with the "certutil"-Utility which came
>   with Windows Server 2003 (that's how I found out about it):
>
>    certutil -v -urlcache CRL
>
>   BTW: Here's "How to use the Windows Server 2003 version of the
>        Certutil.exe program on a Windows XP or a Windows 2000-based
>        computer"   http://support.microsoft.com/?id=836427
>
> - On one test server the "CertCheckMode" IIS MetaBase setting did not
>   turn off CRL checking when set to 1 (could be a faulty metabase, though)
>
>
> Some other hints about changes can be found here:
>
> Errors with client certificates occur after you install the MS04-011
> security update on an IIS 5.0 computer
> http://support.microsoft.com/?id=841642
>
> IIS returns a "403.13 Client Certificate Revoked" error message after
> you install MS04-011 because of Wininet proxy settings
> http://support.microsoft.com/?id=841641
>
> You receive a "403.13 client certificate revoked" error message after
> you install the MS04-11 security update
> http://support.microsoft.com/?id=841632
>
>
> Maybe this not only leads to a response from Microsoft people, but it
> also helps one or two guys out there scratching their heads right now ...
>
> cheers
>   Chris