Re: revoking ipsec certificate doesn't work
From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/26/05
- Next message: Terry Barkoulas: "Re: 2003 server with PCanywhere i"
- Previous message: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- In reply to: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Next in thread: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Reply: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 07:08:34 -0500
More answers inline...
In article <#D52PqnwFHA.664@tk2msftngp13.phx.gbl>,
franz.schenkNOSPAM@fititNO-_SPAM.ch says...
> Hi Brian
>
> Thank you very much for your help! Your whitepaper explains the whole matter
> to me, although this paper is hard to find: A search on MS Technet with the
> keywords "certificate revocation" reveals your whitpaper at position thirty
> or so.
>
> Some points are not clear to me. You write in your paper:
> "Internet Protocol Security (IPSec)
> CRL checking is not enabled by default in Windows 2000. With the release of
> Windows 2000 SP2, an additional registry key was added that can enable CRL
> checking for IPSec certificate-based authentication."
>
> - Is my understanding and my expericence correct, that IPSec CRL checking is
> not enabled by default also with Windows XP and with Windows XP SP2? At
> least on my test machine, the registry key you mentioned is not present by
> default.
>
The key is not present on my laptop as well. But, according to the
article "How IPSec works" in the section titled "IPSec CRL Checking"
available at http://tinyurl.com/8r2sl, CRL checking is enabled by
default in Windows XP SP2 and Windows Server 2003, but only a check for
revocation is performed, not a full validation check of the comptuer.
> - Is my conclusion correct, that certificate revocation in combination with
> IPSec doesn't work at all whithout distributing this registry key to all
> client systems?
If you want strong CRL checking, you must distribute the key to all
participating systems.
>
> - Is the following also correct, that relying on certificate revocation in
> an IPSec client server environment is wrong, when distributing certificates
> to computers that are not member of the domain? (A malicous user with a
> computer that does not belong to the domain can delete this registry key and
> can use the certificate for IPSec VPN connections until the certificate is
> expired)?
>
A malicious user would have to attempt connection to a computer that
does not have the registry key enabled. Remember, the authentication is
main mode is mutual authentication. Both sides must agree to participate
in the connection.
> Thank you in advance for your help!
> Franz
>
>
> "Brian Komar [MVP]" <bkomar@nospam.identit.ca> schrieb im Newsbeitrag
> news:MPG.1d9e818bc33d44a69896ad@msnews.microsoft.com...
> > In article <OC33ceEwFHA.3864@TK2MSFTNGP12.phx.gbl>,
> > franz.schenkNOSPAM@fititNO-_SPAM.ch says...
> >> Thank you for your information.
> >>
> >> It's possible to publish manually the update delta and full CRL using the
> >> CA
> >> MMC SnapIn on the Server. I also have verified that this CRL is published
> >> in
> >> AD and in a file.
> >> Despite of that, my test VPN client (or the VPN server) never checks if
> >> the
> >> certificate using for the L2TP/IPSec connection is revoked or not. The
> >> Win
> >> XP SP2 client can establish the L2TP/IPSec VPN connection to the Windows
> >> Server 2003 SP1 without any problem after the certificate is revoked
- Next message: Terry Barkoulas: "Re: 2003 server with PCanywhere i"
- Previous message: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- In reply to: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Next in thread: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Reply: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
