[36060] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Windows doesn't verify digital signature of CRL files

daemon@ATHENA.MIT.EDU (Thomas Walpuski)
Tue Aug 10 11:52:19 2004

Date: Tue, 10 Aug 2004 07:32:40 +0000
From: Thomas Walpuski <thomas-bugtraq@unproved.org>
To: Faro Poplar <faropoplar@yahoo.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20040810073239.GB5926@unproved.org>
Mail-Followup-To: Faro Poplar <faropoplar@yahoo.com>,
	bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040809143138.25202.qmail@www.securityfocus.com>

* Faro Poplar wrote:
> Has anyone  noticed that Windows doesn't verify the digital signature
> of CRL files  (*.crl).

Yes, I noticed that about 2 years ago. IMO this is no security issue.
CRLs are retrieved from the certificate store via CertGetCRLFromStore.
Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
seccrypto/security/certverifycrlrevocation.asp).

Thomas Walpuski


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36060] in bugtraq

Re: Windows doesn't verify digital signature of CRL files

daemon@ATHENA.MIT.EDU (Thomas Walpuski)Tue Aug 10 11:52:19 2004

daemon@ATHENA.MIT.EDU (Thomas Walpuski)
Tue Aug 10 11:52:19 2004