Bugtraq: Re: Windows doesn't verify digital signature of CRL files

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Windows doesn't verify digital signature of CRL files

From: Thomas Walpuski <thomas-bugtraq () unproved org>
Date: Tue, 10 Aug 2004 07:32:40 +0000

* Faro Poplar wrote:

Has anyone  noticed that Windows doesn't verify the digital signature
of CRL files  (*.crl).


Yes, I noticed that about 2 years ago. IMO this is no security issue.
CRLs are retrieved from the certificate store via CertGetCRLFromStore.
Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
seccrypto/security/certverifycrlrevocation.asp).

Thomas Walpuski

By Date By Thread

Current thread:

Windows doesn't verify digital signature of CRL files Faro Poplar (Aug 09)
- Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 10)
  - Re: Windows doesn't verify digital signature of CRL files Neil Gierman (Aug 10)
    - Re: Windows doesn't verify digital signature of CRL files Jack Lloyd (Aug 10)
    - Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 11)
    - Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 10)
  - Re: Windows doesn't verify digital signature of CRL files Valdis . Kletnieks (Aug 10)