Re: CryptoAPI / CAPICOM Chain Building
From: Kelvin Yiu [MS] (kelviny_at_online.microsoft.com)
Date: 11/16/04
- Next message: Eugene Mayevski: "CSP signing problem"
- Previous message: lelteto: "Re: Use of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"
- In reply to: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Next in thread: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Reply: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Nov 2004 10:06:03 -0800
1. Correct. However, note that this is the only way to build a chain
correctly for CAs who changed the subject name encoding (say from Printable
String to UTF8) after renewing their certificate.
2. We have backported the W2K3 chaining behavior to Windows XP in SP2 and
Windows 2000 in the MS04-11 security update. It is not 100% compliant with
RFC 3280 but it's close. I don't think there are any implementations out
there that are 100% compliant with RFC 3280.
-- Kelvin Yiu [MS] This posting is provided "AS IS" with no warranties, and confers no rights "Bill Brice" <BillBrice@discussions.microsoft.com> wrote in message news:45E0CA64-323E-44BC-AF3C-2353BD809B27@microsoft.com... > David, > > Thank you. 2 questions: > > 1) Since it does not appear that you can set any options on the chain > engine > to force a particular type of chain matching - if you have a PKI with AKID > / > SKID based on hashes of public keys in all certs - Windows will use that > even > if names do not match. Therefore it would be up to the application to > further check name matching itself, if that is a requirement. Is that > correct? > > 2) Has the current release of CryptoAPI (current service packs) > implemented > RFC 3280? > > Bill Brice > ------------------------------- > "David Cross [MS]" wrote: > >> Actually, CryptoAPI builds a graph of all possible chains and will select >> the highest quality chain based on all information. >> >> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx >> >> >> -- >> >> >> David B. Cross [MS] >> >> -- >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> http://support.microsoft.com >> >> "Bill Brice" <BillBrice@discussions.microsoft.com> wrote in message >> news:83521D62-844A-47C4-8E34-448B8E3C370E@microsoft.com... >> > CryptoAPI seems to build chains based on Authority Key ID and Subject >> > Key >> > ID >> > and ignores matching Subject and Issuer names. Is there a way to have >> > it >> > check both or is this an implementation issue (result observed on >> > Windows >> > Server 2003)? >> > -- >> > Bill Brice >> >> >>
- Next message: Eugene Mayevski: "CSP signing problem"
- Previous message: lelteto: "Re: Use of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"
- In reply to: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Next in thread: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Reply: Bill Brice: "Re: CryptoAPI / CAPICOM Chain Building"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
