Re: Certificate Revocation List (CRL) problem w/ Outlook XP

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 11/29/02 

From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Sat, 30 Nov 2002 00:06:41 +1100

You can enable CRL checking - see, for example, here:

http://www.dsinet.org/textfiles/nsa-files/Win2k/using_dod_pki_certificates_i
n_outlook_2000.pdf

(be extremely careful - registry change required)

Or use Outlook XP, it checks CRL by default. 

--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Microsoft" <k.tolias@asyk.ase.gr> wrote in message
news:uzmWkp3lCHA.1896@tkmsftngp04...
> Sorry to interrupt but I believe that there is no way to check the status
of
> the Signing Certificate using Outlook Clients.
>
> That's because Outlook 2000 never check for the CRL, Just always says that
> the Certificate is not Revoked. Try to Revoke your Certificate and you
will
> see what I mean!!!
>
>
>
> Outlook 02 client has a different approach. When you ask for the validity
of
> the Signing Certificate, the system fetches the Crl files to your Local
> "Temporary Internet Files". Unfortunately even the System has the
> Certificate Revocation List cannot determine whether the Signing
Certificate
> is Revoked or not!!!
>
>
>
> This is a bug I have reported to Microsoft since 1st of October.
>
> According to Microsoft there is a Restriction in the Certificate Checking
> Procedure.
>
> If a Certificate found in the Certification Path has no CDP (Certificate
> Revocation List Distribution Point) then Outlook 02 replies with the
warning
> that you mentioned.
>
>
>
> So once again Microsoft ignores RFC's. That's not a new one!!! The answer
> that they gave me after two months is that they will try to fix the
problem,
> or... not (Ahhh)
>
>
>
> Now you might understand why are keep getting this message. Thawte Root
> Certificate has no CDP, as it supposed to be for everyone else except
> Microsoft : )
>
>
>
> You can try 2 workarounds.
>
>
>
> 1. Install Windows XP. They above described procedure is totally changed,
so
> it works fine.
>
>
>
> 2. Find the crl file in your Local "Temporary Internet Files" and install
it
> manually. It worked with me. If you can't find it downloaded from the CDP.
>
>
>
>  Keep in touch. This is a very serious issue, so any feedback appreciated!
>
>
>
> Thanks,
>
>  Kyriakos Tolias
>
>
>
> "Jerry Benton" <jcbenton@atsugi.navy.mil> wrote in message
> news:189f201c295a0$d79caaf0$8af82ecf@TK2MSFTNGXA03...
>
> > David hit it right on the head...
> >
> > Outlook 2002 attempts to bounce the certificate off a CRL
> > and Outlook 2000 does not. (Unless you turn it on.) You
> > can turn it off via a registry hack if you like. I know
> > Outlook 02 will hang until it times out, which is a real
> > pain waiting for around 2 minutes to view a signed email.
> > You can check and see what its doing by running "netstat"
> > in a CMD prompt. Also, instead of disabling it, you can
> > reduce the time out to just a few seconds. (I think :) )
> >
> > Also.... Outlook is making a call through a port (LDAP 389
> > and LDAPS 636) and if you have that port blocked by a
> > firewall... same deal.... it hangs until it times out.
> >
> > Email me if you want the hack to turn it off. But make
> > changes to your own registry at your own risk :)
> >
> > Jerry
> >
> >
> >
> > >-----Original Message-----
> > >I have recently obtained a Thawte Personal Freemail
> > >certificate, which I have successfully imported into
> > >Internet Explorer 6SP1/Outlook 2002SP2.  I have signed
> > >messages and sent them. The problem I have encountered (in
> > >testing) is that Outlook 2002 (on the receiving end) will
> > >not verify the signature because "The Certificate
> > >Revocation List ... is unavailable..."  The same exact e-
> > >mail received in Outlook 2000 verifies the signature
> > >without a problem.
> > >
> > >I've searched the MS knowledge base and found some
> > >articles refering to a similar problem.  The suggested
> > >fixes have been aplied w/ out fixing the problem.
> > >
> > >Furthermore, I have poured through the thousands of
> > >messages in these newsgroups and have found nothing that
> > >helps.
> > >
> > >Surely there is an answer! But does anyone out there know
> > >what it is?
> > >.
> > >
>
>

Relevant Pages

  • Re: Problem in running .Net Service on a Quad Processor
    ... A simple solution to the CRL check overhead is to use authenticode ... I set the value of the registry value 'State' under the following ... Are you running/loading Certificate assigned assemblies? ... you did disable the download of CRL's for the whole system. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Certificate Revocation List (CRL) problem w/ Outlook XP
    ... You can enable CRL Checking by applying the changes and fixes that Microsoft ... I have a Root CA Certificate and a Sub CA Certificate without a CDP entry. ... I' m trying to say that Outlook eventually checks the CRL but in the ...
    (microsoft.public.security)
  • Digital certificate in outlook
    ... In outlook when I click on Tools Options Security and select my own ... certificate there is a reigstry entry in the registry at the following ...
    (microsoft.public.platformsdk.security)
  • Digital certificate in outlook
    ... In outlook when I click on Tools Options Security and select my own ... certificate there is a reigstry entry in the registry at the following ...
    (microsoft.public.security)
  • Digital certificate in outlook
    ... In outlook when I click on Tools Options Security and select my own ... certificate there is a reigstry entry in the registry at the following ...
    (microsoft.public.security)