Results 1 to 6 of 6
  1. #1
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Certificate Revocation List

    Does anyone know what a Microsoft "Certificate Revocation List" is or how it's used? The file name is "WindowsPCA.crl"
    I found this download url, " http://crl.microsoft.com/pki/crl/pro...indowsPCA.crl" in my Temporary Internet Files folder.

    I'm looking for a non-MS explanation which is why I'm posting here rather than the MS website.

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  2. #2
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Certificate Revocation List


  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Certificate Revocation List

    A year or two ago, I think there was a problem with some certificates that would authenticate certain software as Microsoft software when it wasn't. The details escape me. For situations like this, your certificate checker is supposed to query the certificate authority to see if the certificate remains valid. I'm guessing that the revocation file that is on your computer is intended to shortcut that process, but it's just a guess.

  4. #4
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Certificate Revocation List

    Thanks SMBP and jscher

    After checking SMBP's links and checking my copy of "The Complete Reference, WindowsME Millennium Edition", I now I have info-overload..........my computer seems to be updating "Certificates" automatically............they apparently have to do with trusting servers, email sources, etc.

    Verisign and Thawte (a subsidiary of Verisign) are the two most common issuers (CA's or Certificate Authorities).
    I don't understand all the implications of the certificates but I'm not going to let this worry me as I don't have any problems accessing sites, obtaining downloads or verifying email sources.

    FYI, (in WindowsME at least) if you go to Control Panel > Internet Options > Content > Certificates you'll be able to open various tabs to list the certificates you have installed. I have about 130 .

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  5. #5
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Certificate Revocation List

    A very brief explanation...

    Public keys are exchanged using Certificates. A certificate contains the Public Key and lots of information about the key, including a Name or other Identifier, information about what the corresponding private key can be used for, dates when the key is valid etc. The whole certificate is signed using the private key of a Certificate Authority.

    You have a large number of trusted certificate authorities known to your PC, you can see this list at Internet Explorer > Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities. You can see all the information on a typical certificate by connecting to an https: secure web site and double clicking the padlock symbol at the bottom right hand corner of internet Explorer.

    Sometimes it may be necessary to revoke a certificate even though it's expiry date hasn't arrived. To enable this every certificate has a pointer to the Certificater Revocation Lsit (CRL) that will be used if it ever needs to be revoked. Every application that looks at the certificate should check this CRL before it allows the certificate to be used.

    Unfortunately the default behaviour of Internet Explorer is to never check CRL's. You can change this at Tools > Internet Options > Advanced > Security > Check for server certificate revocation (requires restart). So when someone got hold of a perfectly valid Microsoft Corporation certificate last year, Microsoft had to release a patch to add these invalid certificates to the hard coded list of revoked certificates that is stored on your PC. (See Microsoft Security Bulletin MS01-017. I assume that other companies with similar problems may well have asked Microsoft to include yet more certificates in this hard coded list.

    StuartR

  6. #6
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Certificate Revocation List

    Thanks for the explanation Stuart.

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •