Re: Offline Smart Card Logon
From: MC (seaedsit_at_hotmail.com)
Date: 10/21/04
- Previous message: Miha Pihler: "Re: Offline Smart Card Logon"
- In reply to: Miha Pihler: "Re: Offline Smart Card Logon"
- Next in thread: David Cross [MS]: "Re: Offline Smart Card Logon"
- Reply: David Cross [MS]: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Oct 2004 11:12:44 +0200
Mike,
So it seems that there's a problem using smart card logon by mobile users
who work often offline for longer time.
Of course I can set an external accessible URL in the CDP. My problem is,
that those mobile clients are NOT connected to any network.
So smart card logon would only work as long the notebooks have a vaild, not
expired CRL in their cache. If the CRL has expired, smart card logon would
fail, right ?
Another problem is, that I can define the CRL expiration overlap time to
only 12 hours. So, the mobile clients MUST go online BEFORE the CRL is going
to expire and AFTER a new CRL will be published by the CA.
Since I can only define a 12 hour window, the clients have only 12 hours
time to logon and download a valid "new" CRL. Is that true ?
Thanks
MC
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:ecoNSRvtEHA.3628@tk2msftngp13.phx.gbl...
> Hi,
>
> Hi,
>
> For successful smart card logon, a valid CRL (certificate revocation list)
> must be available. You can add (you should add) a CDP (CRL Distribution
> Point) that is publicly available for the clients that travel for longer
> periods of time (also your business partners (or their e-mail client)
might
> want to check validity of issued certificate if you will exchange signed
> e-mails). You can have your CDP at e.g. http://cdp.domain.com/ where
> domain.com is your domain name and cdp.domain.com is address accessible
from
> the internet. Once your CA issues new CRL (it depends on your
configuration)
> or CRL is issued manually, you can copy (or automate transfer or) files to
> the URL that you defined as CDP.
>
> You can't add or edit CDP list on certificates that are already issued (if
> you do, certificate signature comes invalid). You have to add your
> additional CDP on your CA first. Once you made these change on CA, you
have
> to issue new certificates to users and these new certificates will include
> new CDP.
>
> Clients do cache the CRL and will use it as long as it is CRL is valid.
>
> Troubleshooting Certificate Status and Revocation
> http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
>
> Mike
>
> "MC" <seaedsit@hotmail.com> wrote in message
> news:OQ1sd8utEHA.2116@TK2MSFTNGP14.phx.gbl...
> > Hi,
> >
> > It's possible to logon to windows xp via smart cards even there's no
> network
> > connection (offline due to cached credentials).
> >
> > How does windows check if the smart card user certificate is valid when
> it's
> > not possible to access a valid CRL ?
> >
> > Does a windows xp client cache the last known valid CRL ?
> >
> > Is it still possible to logon offline via smart cards when the CRL has
> > expired ?
> >
> > Is there any procedure how to deal with notebook users, who often work
> > offline for a long time (maybe serveral weeks) ?
> >
> >
> > Thanks
> > MC
> >
> >
> >
> >
>
>
- Previous message: Miha Pihler: "Re: Offline Smart Card Logon"
- In reply to: Miha Pihler: "Re: Offline Smart Card Logon"
- Next in thread: David Cross [MS]: "Re: Offline Smart Card Logon"
- Reply: David Cross [MS]: "Re: Offline Smart Card Logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
