Verisign CRL single point of failure

Dirk-Willem van Gulik dirkx at webweaving.org
Thu Apr 1 04:22:47 EST 2004


On Jan 9, 2004, at 8:06 PM, Rich Salz wrote:

> dave kleiman wrote:

>> Because the client has a Certificate Revocation Checking function 
>> turned on
>> in a particular app (i.e. IE or NAV).

> I don't think you understood my question.  Why is crl.verisign.com 
> getting overloaded *now.*  What does the expiration of one of their CA 
> certificates have to do with it?  Once you see that a cert has 
> expired, there's no need whatsoever to go look at the CRL.  The point 
> of a CRL is to revoke certificates prior to their expiration.

Though I have no particular experience with the virus-scan software; 
we've seen exactly
this behavior with a couple of medical app's build onto the same 
libraries. Once any cert
in the bundle is expired the software -insists- on checking with the 
CRL at startup. And it will
hang if it cannot. When it gets the info back - It does not cache the 
(negative) information;
nor does that seem to trigger any clever automated roll-over. We tried 
tricking it with flags like
'superseded' and cessationOfOperation in the reasons/cert status mask - 
but no avail. The
only workaround  we've found is to remove all expired certs from the 
system asap.

My guess it is just a bug in a library; albeit a commonly used one.

Dw.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list