Re: certificate revocation doesn't work
From: D. Cross [MS] (dcross@online.microsoft.com)
Date: 01/30/03
- Next message: Nick Falcone: "Power Management"
- Previous message: David Lorenzen: "IAS and SonicWall"
- In reply to: John McCoy: "Re: certificate revocation doesn't work"
- Next in thread: John McCoy: "Re: certificate revocation doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "D. Cross [MS]" <dcross@online.microsoft.com> Date: Thu, 30 Jan 2003 08:32:11 -0800
This is the correct article, make sure you follow all the steps.
How have you concluded that revocation check is not working?
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. "John McCoy" <jmccoy@cmatech.com> wrote in message news:#xp8ldHyCHA.2532@TK2MSFTNGP10... > David, is there another one, this one didn't seem to do it. > > Thanks > > -- > John McCoy > jmccoy@cmatech.com > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > news:O$zJyl5iCHA.2616@tkmsftngp11... > > start with this one: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;249780 > > > > -- > > > > > > David B. Cross [MS] > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > http://support.microsoft.com > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message > > news:OjsX6eoiCHA.2536@tkmsftngp12... > > > David, I searched the knowledge bas and couldn't find anything for > Outlook > > > 2000 and revocation checking. Would you happen to know thw q article > > > numbers? > > > > > > I would like to check it out anyway. > > > > > > Thanks > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > news:#xTSgeliCHA.1688@tkmsftngp08... > > > > easy one - Outlook 2000 does not check revocation by default. You > have > > to > > > > set two registry keys (documented in KB articles) to enable this > > feature. > > > > Outlook XP does check revocation by default. > > > > > > > > -- > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > -- > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > > > > > http://support.microsoft.com > > > > > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message > > > > news:ePV4XSciCHA.2240@tkmsftngp12... > > > > > David, I tried this in my test lab and even afdter the user's > > > certificate > > > > > was revoked I was able to digitally sign an email. I understand the > > > > > revocation list is in a local cache, but how often is the cache > > updated > > > if > > > > > the revocation list is updated say hourly? > > > > > > > > > > Why isn't this kept in AD so when a user loogs in the cert is marked > > as > > > > > revoked. > > > > > > > > > > I am testing this using Office 2000 and Windows 2000 and Exchange > 2000 > > > > SP3. > > > > > > > > > > Thanks > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > > > news:e7WQlrMiCHA.2636@tkmsftngp08... > > > > > > I am not saying that the cert is not revoked and no longer > invalid - > > I > > > > am > > > > > > just pointing out that the cert viewer you are using is not > showing > > > the > > > > > > revoked status. If the user tries to use the cert once it show up > > on > > > > the > > > > > > CRL, it can't be used for signing or encryption. Also note that > > when > > > > you > > > > > > send a signed mail to a user with a revoked cert, you are using > your > > > > cert > > > > > to > > > > > > send the signed mail, not the user who is going to receive the > mail. > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > -- > > > > > > This posting is provided "AS IS" with no warranties, and confers > no > > > > > rights. > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > "John McCoy" <itsme109@hotmail.com> wrote in message > > > > > > news:usrsie76m50i1a@corp.supernews.com... > > > > > > > So what good is revoking a certificate? Am I to assume that if I > > > want > > > > to > > > > > > > send a user with a revoked certificate a digitally signed email > > that > > > > > can't > > > > > > > be done since the certificate has been revoked? I set up the > > > > certificate > > > > > > > revocation list to be published daily > > > > > > > > > > > > > > I am just trying to understand the process and make work since > we > > > are > > > > > > > working with organizations to help them comply with HIPPA. > > > > > > > > > > > > > > I will look at the article... > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > John McCoy > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in > message > > > > > > > news:eRjatFGiCHA.1736@tkmsftngp11... > > > > > > > > That is correct and it is also important to note that not all > > > > > > applications > > > > > > > > or the cert viewer (Certificates - MMC for example) does not > > check > > > > > > > > revocation). So the cert mayu be invalid, but the scenario in > > > which > > > > > you > > > > > > > are > > > > > > > > viewing it may not be actually checking the revocation. > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > > > > > -- > > > > > > > > This posting is provided "AS IS" with no warranties, and > confers > > > no > > > > > > > rights. > > > > > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message > > > > > > > > news:Cccz9.5162$mN6.2172255@newssrv26.news.prodigy.com... > > > > > > > > > Here is a link about certificate revocation. The part about > > > client > > > > > > cache > > > > > > > > is > > > > > > > > > very important. Apparently even if a certificate is on the > > list > > > it > > > > > > might > > > > > > > > not > > > > > > > > > be updated on clients for several days unless they manually > > > > download > > > > > a > > > > > > > new > > > > > > > > > list!! --- Steve > > > > > > > > > > > > > > > > > > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;313281& > > > > > > > > > > > > > > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message > > > > > > > > > news:U0cz9.5161$mN6.2171218@newssrv26.news.prodigy.com... > > > > > > > > > > Hi John. I don't think the certificate itself is marked > > > > > "invalid" - > > > > > > > but > > > > > > > > I > > > > > > > > > > may be wrong, someone please correct me if I am. However > > once > > > a > > > > > > > > > certificate > > > > > > > > > > is revoked it is published in the revoked list which other > > > > > computers > > > > > > > > > should > > > > > > > > > > check before allowing it to be used for autehntication > with > > > > them. > > > > > > > Check > > > > > > > > to > > > > > > > > > > see if the certificate is in the revoked list and then try > > to > > > > use > > > > > it > > > > > > > for > > > > > > > > > > authentication and you should be denied access. --- Steve > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "John McCoy" <itsme109@hotmail.com> wrote in message > > > > > > > > > > news:usqdg0r7cecma0@corp.supernews.com... > > > > > > > > > > > Hi Steve I did republish the list afterwards but what > > > bothered > > > > > me > > > > > > > was > > > > > > > > I > > > > > > > > > > > logged in as the user and looked at their certificate > and > > > said > > > > > it > > > > > > > was > > > > > > > > > > still > > > > > > > > > > > valid, shouldn't it have seen it wasn't valid? > > > > > > > > > > > > > > > > > > > > > > We will be using this to send and receive digitally > signed > > > > > emails > > > > > > > and > > > > > > > > > > > documents so I want to make sure I understand what is > > > > happening? > > > > > > > I'll > > > > > > > > > look > > > > > > > > > > > at it Monday but the users certificate seemed valid to > me > > > and > > > > > that > > > > > > > is > > > > > > > > an > > > > > > > > > > > issue. > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > John > > > > > > > > > > > johnm160@hotmail.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in > message > > > > > > > > > > > > news:D4bz9.5153$mN6.2166308@newssrv26.news.prodigy.com... > > > > > > > > > > > > Hi John. I see no one else answered this so let me > > > take > > > > a > > > > > > stab > > > > > > > > at > > > > > > > > > > it, > > > > > > > > > > > > but it has been a while since I played with a CA. If > I > > > > > recall > > > > > > > > > > correctly > > > > > > > > > > > > when a certificate is revoked it is not removed or > > > modified > > > > in > > > > > > any > > > > > > > > > way, > > > > > > > > > > > but > > > > > > > > > > > > is put on the revoked list where other computers will > > > check > > > > > > first > > > > > > > > > before > > > > > > > > > > > > allowing it to be used for any authentication. This is > > the > > > > > best > > > > > > > way > > > > > > > > > > > because > > > > > > > > > > > > someone can have multiple copies of their certificate > at > > > > > > different > > > > > > > > > > places. > > > > > > > > > > > I > > > > > > > > > > > > remember that revoked lists are updated on a periodic > > > basis > > > > > and > > > > > > > you > > > > > > > > > may > > > > > > > > > > > want > > > > > > > > > > > > to use your CA MMC to do an immediate update/pubish > > after > > > a > > > > > > > > revocation > > > > > > > > > > and > > > > > > > > > > > > then check the revocation list on the CertEnroll > share. > > > Good > > > > > > > > > uck. --- > > > > > > > > > > > > Steve > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "John McCoy" <jmccoy@cmatech.com> wrote in message > > > > > > > > > > > > news:#SJiYG3hCHA.2008@tkmsftngp08... > > > > > > > > > > > > > I have an AD CA and revoked a users certificate and > > saw > > > it > > > > > on > > > > > > > the > > > > > > > > > list > > > > > > > > > > > but > > > > > > > > > > > > > the user still has the certificate which says it is > > > valid. > > > > > > This > > > > > > > is > > > > > > > > > > > > > internally in our AD domain. > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > John McCoy > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Nick Falcone: "Power Management"
- Previous message: David Lorenzen: "IAS and SonicWall"
- In reply to: John McCoy: "Re: certificate revocation doesn't work"
- Next in thread: John McCoy: "Re: certificate revocation doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
