Re: Getting rid of my Certification Authority

On Wed, 30 Apr 2008 07:49:01 -0700, justmark wrote:

Hi Brian,

Just a followup question on this - I've turned off the CA service, but from
what I see, nothing has changed. Before doing that, I'd created a folder on
my desktop on my PC and put one file into it. I then encrypted the folder.
That's still encrypted and I can still open it. I went to the CA manager and
revoked (cease of operation) my new certificate (before I killed the service).

I'm just wondering how long I should expect it to take to show some reaction
to all of this? I want to test getting rid of my CA entirely but need to be
sure that if somebody actually has an encrypted folder, they'll know - then
I'll just turn the service back on and deal with it. But if what I've done
so far has no effect, I can't be sure about any of this.

Any advice would be very much appreciated!

A couple of things here. First of all, have you checked to see if any EFS
certificates have actually been issued in the first place? Just because you
have or had a CA up and running, that does not mean that it has issued any
EFS certificates.

Secondly if you have issued EFS certificates are they based on the default
version 1 Basic EFS certificate template? If so then you really don't need
to worry about the CA being available as you won't have the private key of
any issued certificates archived.

Thirdly you need to understand how revocation works with EFS. The only time
that EFS will check for certificate revocation is when one is trying to
share an EFS encrypted file with another user. EFS will check to see
whether or not that user's certificate has been revoked. If it has been you
won't be able to share the encrypted file with that user. If you revoked
your EFS certificate you will be able to use it to encrypt new content as
long as it is still time valid and you'll be able to use it to decrypt
existing content forever.

You seem to be under the impression that their is a close tie-in with a CA
and EFS and there really is not.

--
Paul Adare
http://www.identit.ca
Computer problems? Have you checked the loose nut in front of the keyboard?
.

Relevant Pages

  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
    (microsoft.public.windows.server.sbs)
  • RE: EFS rollout using Active Directory
    ... I just have something to add to the Final Thought regarding laptop users: ... You can implement EFS on systems running Windows 2000 and Windows XP ... Stand-alone workstations generate their own public key certificate that you ... encrypt the contents of their files or folders. ...
    (Focus-Microsoft)
  • Re: Restoring Encrypted Files
    ... I'm using EFS because of Microsoft recommendation to do so on portable ... clients. ... >> If I encrypt files on an XP Pro client and backup those files using NT ... > corrupted or missing certificate, it is critical that you back up the ...
    (microsoft.public.windows.server.sbs)
  • EFS: What am I doing wrong?
    ... here is what I want to do: I want to encrypt some files I have on my ... notebook so that if someone steals it from me, he would not be able to ... I created a separate folder named EFS on the C: ... Then I've exported my encryption certificate to a file on a diskette. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EPS
    ... EFS will encrypt only the ... EFS encrypts with one certificate per user; so all the files and folders ...
    (microsoft.public.windowsxp.security_admin)