[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows doesn't verify digital signature of CRL files

To: Faro Poplar <faropoplar@xxxxxxxxx>
Subject: Re: Windows doesn't verify digital signature of CRL files
From: Thomas Walpuski <thomas-bugtraq@xxxxxxxxxxxx>
Date: Tue, 10 Aug 2004 07:32:40 +0000

* Faro Poplar wrote:
> Has anyone  noticed that Windows doesn't verify the digital signature
> of CRL files  (*.crl).

Yes, I noticed that about 2 years ago. IMO this is no security issue.
CRLs are retrieved from the certificate store via CertGetCRLFromStore.
Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
seccrypto/security/certverifycrlrevocation.asp).

Thomas Walpuski

Follow-Ups:
- Re: Windows doesn't verify digital signature of CRL files
  - From: Neil Gierman
- Re: Windows doesn't verify digital signature of CRL files
  - From: Valdis . Kletnieks

References:
- Windows doesn't verify digital signature of CRL files
  - From: Faro Poplar

Prev by Date: MDKSA-2004:080 - Updated shorewall packages fix temporary file vulnerabilities
Next by Date: [ GLSA 200408-07 ] Horde-IMP: Input validation vulnerability for Internet Explorer users
Previous by thread: Windows doesn't verify digital signature of CRL files
Next by thread: Re: Windows doesn't verify digital signature of CRL files
Index(es):
- Date
- Thread