Bugtraq mailing list archives

Re: Windows doesn't verify digital signature of CRL files

From: Thomas Walpuski <thomas-bugtraq () unproved org>
Date: Tue, 10 Aug 2004 07:32:40 +0000

* Faro Poplar wrote:

Has anyone  noticed that Windows doesn't verify the digital signature
of CRL files  (*.crl).


Yes, I noticed that about 2 years ago. IMO this is no security issue.
CRLs are retrieved from the certificate store via CertGetCRLFromStore.
Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
seccrypto/security/certverifycrlrevocation.asp).

Thomas Walpuski

Current thread:

Windows doesn't verify digital signature of CRL files Faro Poplar (Aug 09)
- Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 10)
  - Re: Windows doesn't verify digital signature of CRL files Neil Gierman (Aug 10)
    - Re: Windows doesn't verify digital signature of CRL files Jack Lloyd (Aug 10)
    - Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 11)
    - Re: Windows doesn't verify digital signature of CRL files Thomas Walpuski (Aug 10)
  - Re: Windows doesn't verify digital signature of CRL files Valdis . Kletnieks (Aug 10)
- <Possible follow-ups>
- Windows doesn't verify digital signature of CRL files Michael Howard (Aug 11)