Verisign CRL single point of failure
Dirk-Willem van Gulik
dirkx at webweaving.org
Thu Apr 1 04:22:47 EST 2004
On Jan 9, 2004, at 8:06 PM, Rich Salz wrote:
> dave kleiman wrote:
>> Because the client has a Certificate Revocation Checking function
>> turned on
>> in a particular app (i.e. IE or NAV).
> I don't think you understood my question. Why is crl.verisign.com
> getting overloaded *now.* What does the expiration of one of their CA
> certificates have to do with it? Once you see that a cert has
> expired, there's no need whatsoever to go look at the CRL. The point
> of a CRL is to revoke certificates prior to their expiration.
Though I have no particular experience with the virus-scan software;
we've seen exactly
this behavior with a couple of medical app's build onto the same
libraries. Once any cert
in the bundle is expired the software -insists- on checking with the
CRL at startup. And it will
hang if it cannot. When it gets the info back - It does not cache the
(negative) information;
nor does that seem to trigger any clever automated roll-over. We tried
tricking it with flags like
'superseded' and cessationOfOperation in the reasons/cert status mask -
but no avail. The
only workaround we've found is to remove all expired certs from the
system asap.
My guess it is just a bug in a library; albeit a commonly used one.
Dw.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list