Re: Offline Smart Card Logon

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 00:29:00 +0200

Hi,

Hi,

For successful smart card logon, a valid CRL (certificate revocation list)
must be available. You can add (you should add) a CDP (CRL Distribution
Point) that is publicly available for the clients that travel for longer
periods of time (also your business partners (or their e-mail client) might
want to check validity of issued certificate if you will exchange signed
e-mails). You can have your CDP at e.g. http://cdp.domain.com/ where
domain.com is your domain name and cdp.domain.com is address accessible from
the internet. Once your CA issues new CRL (it depends on your configuration)
or CRL is issued manually, you can copy (or automate transfer or) files to
the URL that you defined as CDP.

You can't add or edit CDP list on certificates that are already issued (if
you do, certificate signature comes invalid). You have to add your
additional CDP on your CA first. Once you made these change on CA, you have
to issue new certificates to users and these new certificates will include
new CDP.

Clients do cache the CRL and will use it as long as it is CRL is valid.

Troubleshooting Certificate Status and Revocation
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike

"MC" <seaedsit@hotmail.com> wrote in message
news:OQ1sd8utEHA.2116@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> It's possible to logon to windows xp via smart cards even there's no
network
> connection (offline due to cached credentials).
>
> How does windows check if the smart card user certificate is valid when
it's
> not possible to access a valid CRL ?
>
> Does a windows xp client cache the last known valid CRL ?
>
> Is it still possible to logon offline via smart cards when the CRL has
> expired ?
>
> Is there any procedure how to deal with notebook users, who often work
> offline for a long time (maybe serveral weeks) ?
>
>
> Thanks
> MC
>
>
>
>

Relevant Pages

  • Re: Stand Alone CA Problem
    ... > the CRL from the CDP fast enough and times out. ... > download is usually many times faster. ... >> and imported it in my certificate store. ...
    (microsoft.public.win2000.security)
  • Re: CRL Issues with Win2k3 Cert Svcs
    ... When I look at the CDPs (CRL Distribution Points) I see the standard ... Include in the CDP extension of issued certificates is set. ... The certificate request was submitted to a Certificate Authority ... KRA cert count: 0 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows doesnt verify digital signature of CRL files
    ... Correct me if I am wrong but I understood that certificate validation was ... If the CDP location contains a valid CRL URL and that CA's ... CRL is not already in cache, then the CRL is retreived from that CDP URL ...
    (Bugtraq)
  • Re: Windows doesnt verify digital signature of CRL files
    ... If Windows is not checking the signature, not only can you remove or alter ... For example by creating a CRL revoking all ... it online somewhere and then generating a certificate that lists the location ... of your fake Verisign CRL in the CDP extension and getting people to use that ...
    (Bugtraq)
  • Re: Thawte Digital Certificate Revocation List Issue
    ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
    (microsoft.public.security)