Re: certificate revocation doesn't work

From: David Cross [MS] (dcross@online.microsoft.com)
Date: 11/14/02 

From: "David Cross [MS]" <dcross@online.microsoft.com>
Date: Wed, 13 Nov 2002 20:51:10 -0800

If you want to archive your encryption keys, yes. The .NET version of the
CA will eliminate the requirement to use KMS.

http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
p 

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"John McCoy" <jmccoy@cmatech.com> wrote in message
news:uL57FKoiCHA.2664@tkmsftngp11...
> One interesting note, I am not using Key manager from Exchange 2000,
should
> I be?
>
> Thanks
>
>
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:#xTSgeliCHA.1688@tkmsftngp08...
> > easy one - Outlook 2000 does not check revocation by default.  You have
to
> > set two registry keys (documented in KB articles) to enable this
feature.
> > Outlook XP does check revocation by default.
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "John McCoy" <jmccoy@cmatech.com> wrote in message
> > news:ePV4XSciCHA.2240@tkmsftngp12...
> > > David, I tried this in my test lab and even afdter the user's
> certificate
> > > was revoked I was able to digitally sign an email. I understand the
> > > revocation list is in a local cache, but how often is the cache
updated
> if
> > > the revocation list is updated say hourly?
> > >
> > > Why isn't this kept in AD so when a user loogs in the cert is marked
as
> > > revoked.
> > >
> > > I am testing this using Office 2000 and Windows 2000 and Exchange 2000
> > SP3.
> > >
> > > Thanks
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:e7WQlrMiCHA.2636@tkmsftngp08...
> > > > I am not saying that the cert is not revoked and no longer invalid -
I
> > am
> > > > just pointing out that the cert viewer you are using is not showing
> the
> > > > revoked status.  If the user tries to use the cert once it show up
on
> > the
> > > > CRL, it can't be used for signing or encryption.  Also note that
when
> > you
> > > > send a signed mail to a user with a revoked cert, you are using your
> > cert
> > > to
> > > > send the signed mail, not the user who is going to receive the mail.
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "John McCoy" <itsme109@hotmail.com> wrote in message
> > > > news:usrsie76m50i1a@corp.supernews.com...
> > > > > So what good is revoking a certificate? Am I to assume that if I
> want
> > to
> > > > > send a user with a revoked certificate a digitally signed email
that
> > > can't
> > > > > be done since the certificate has been revoked? I set up the
> > certificate
> > > > > revocation list to be published daily
> > > > >
> > > > > I am just trying to understand the process and make work since we
> are
> > > > > working with organizations to help them comply with HIPPA.
> > > > >
> > > > > I will look at the article...
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > > --
> > > > > John McCoy
> > > > >
> > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > > news:eRjatFGiCHA.1736@tkmsftngp11...
> > > > > > That is correct and it is also important to note that not all
> > > > applications
> > > > > > or the cert viewer (Certificates - MMC for example) does not
check
> > > > > > revocation).  So the cert mayu be invalid, but the scenario in
> which
> > > you
> > > > > are
> > > > > > viewing it may not be actually checking the revocation.
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > > David B. Cross [MS]
> > > > > >
> > > > > > --
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > > http://support.microsoft.com
> > > > > >
> > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > > > > news:Cccz9.5162$mN6.2172255@newssrv26.news.prodigy.com...
> > > > > > > Here is a link about certificate revocation. The part about
> client
> > > > cache
> > > > > > is
> > > > > > > very important. Apparently even if a certificate is on the
list
> it
> > > > might
> > > > > > not
> > > > > > > be updated on clients for several days unless they manually
> > download
> > > a
> > > > > new
> > > > > > > list!!  --- Steve
> > > > > > >
> > > > > > >
http://support.microsoft.com/default.aspx?scid=KB;EN-US;313281&
> > > > > > >
> > > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > > > > > news:U0cz9.5161$mN6.2171218@newssrv26.news.prodigy.com...
> > > > > > > > Hi John. I don't think the certificate itself is marked
> > > "invalid" -
> > > > > but
> > > > > > I
> > > > > > > > may be wrong, someone please correct me if I am. However
once
> a
> > > > > > > certificate
> > > > > > > > is revoked it is published in the revoked list which other
> > > computers
> > > > > > > should
> > > > > > > > check before allowing it to be used for autehntication with
> > them.
> > > > > Check
> > > > > > to
> > > > > > > > see if the certificate is in the revoked list and then try
to
> > use
> > > it
> > > > > for
> > > > > > > > authentication and you should be denied access. --- Steve
> > > > > > > >
> > > > > > > >
> > > > > > > > "John McCoy" <itsme109@hotmail.com> wrote in message
> > > > > > > > news:usqdg0r7cecma0@corp.supernews.com...
> > > > > > > > > Hi Steve I did republish the list afterwards but what
> bothered
> > > me
> > > > > was
> > > > > > I
> > > > > > > > > logged in as the user and looked at their certificate and
> said
> > > it
> > > > > was
> > > > > > > > still
> > > > > > > > > valid, shouldn't it have seen it wasn't valid?
> > > > > > > > >
> > > > > > > > > We will be using this to send and receive digitally signed
> > > emails
> > > > > and
> > > > > > > > > documents so I want to make sure I understand what is
> > happening?
> > > > > I'll
> > > > > > > look
> > > > > > > > > at it Monday but the users certificate seemed valid to me
> and
> > > that
> > > > > is
> > > > > > an
> > > > > > > > > issue.
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > John
> > > > > > > > > johnm160@hotmail.com
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > > > > > > > news:D4bz9.5153$mN6.2166308@newssrv26.news.prodigy.com...
> > > > > > > > > >     Hi John. I see no one else answered this so let me
> take
> > a
> > > > stab
> > > > > > at
> > > > > > > > it,
> > > > > > > > > > but it has been a while since I played with a CA.  If  I
> > > recall
> > > > > > > > correctly
> > > > > > > > > > when a certificate is revoked it is not removed or
> modified
> > in
> > > > any
> > > > > > > way,
> > > > > > > > > but
> > > > > > > > > > is put on the revoked list where other computers will
> check
> > > > first
> > > > > > > before
> > > > > > > > > > allowing it to be used for any authentication. This is
the
> > > best
> > > > > way
> > > > > > > > > because
> > > > > > > > > > someone can have multiple copies of their certificate at
> > > > different
> > > > > > > > places.
> > > > > > > > > I
> > > > > > > > > > remember that revoked lists are updated on a periodic
> basis
> > > and
> > > > > you
> > > > > > > may
> > > > > > > > > want
> > > > > > > > > > to use your CA MMC to do an immediate update/pubish
after
> a
> > > > > > revocation
> > > > > > > > and
> > > > > > > > > > then check the revocation list on the CertEnroll share.
> Good
> > > > > > > uck.  ---
> > > > > > > > > > Steve
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message
> > > > > > > > > > news:#SJiYG3hCHA.2008@tkmsftngp08...
> > > > > > > > > > > I have an AD CA and revoked a users certificate and
saw
> it
> > > on
> > > > > the
> > > > > > > list
> > > > > > > > > but
> > > > > > > > > > > the user still has the certificate which says it is
> valid.
> > > > This
> > > > > is
> > > > > > > > > > > internally in our AD domain.
> > > > > > > > > > >
> > > > > > > > > > > Thanks
> > > > > > > > > > >
> > > > > > > > > > > John McCoy
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Damsel in distress!
    ... I love the title to this posting. ... with any DDL and are not writting in SQL ... Please post DDL, so that people do not have to guess what the keys, ...
    (microsoft.public.sqlserver.programming)
  • Re: Partition HD in XP and Win 98
    ... why are you posting a response when... ... maybe you're just being a dick to someone who has a ...
    (microsoft.public.windowsxp.basics)
  • Re: Ctrl P and Ctrl F Not working, also XP COAs For sale
    ... Essex Laptops - Andy Usher wrote: ... I have googled for this before posting. ... Its so frustrating. ... if you used to short cut key's but 2 keys at ...
    (uk.adverts.computer)
  • Re: CA key pair deposition
    ... You can use a HSM of course with a>third party CSP to store the keys elsewhere of couse. ... >This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.win2000.security)
  • Re: CA key pair deposition
    ... Hi David, ... thanks for your posting. ... >thanks a lot for your postings and the link about DPAPI. ... >>third party CSP to store the keys elsewhere of couse. ...
    (microsoft.public.win2000.security)