| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1479.192.138.31.191.1092154067.squirrel@192.138.31.191> Date: Tue, 10 Aug 2004 11:07:47 -0500 (CDT) From: "Neil Gierman" <ngierman@...drunn.com> To: "Thomas Walpuski" <thomas-bugtraq@...roved.org> Cc: "Faro Poplar" <faropoplar@...oo.com>, bugtraq@...urityfocus.com Subject: Re: Windows doesn't verify digital signature of CRL files Correct me if I am wrong but I understood that certificate validation was processed by the information in the certificate to be validated (CDP or AIA extension). If the CDP location contains a valid CRL URL and that CA's CRL is not already in cache, then the CRL is retreived from that CDP URL in the certificate. If a person was able to inject a modified CRL into that CDP URL, or redirect the client machine to an alternate server for LDAP/HTTP CRL download, and CAPI is not validating signatures on CRL's then a person could use a revoked certificate for access to systems among other things. While this may not be a bug I think it would be a wise security practice to validate a signature if it is there. Neil > * Faro Poplar wrote: >> Has anyone noticed that Windows doesn't verify the digital signature >> of CRL files (*.crl). > > Yes, I noticed that about 2 years ago. IMO this is no security issue. > CRLs are retrieved from the certificate store via CertGetCRLFromStore. > Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are > used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ > seccrypto/security/certverifycrlrevocation.asp). > > Thomas Walpuski >
Powered by blists - more mailing lists