Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Raghavendran H. (SSG) - CTD, Chennai. (raghavh_at_ctd.hcltech.com)
Date: Sat Sep 14 2002 - 06:58:39 CDT
I have the following observations to make regarding this issue:
What I have done is this:
1. We've created a SSL Test Certificate which has the CDP set to an HTTP URL
2. We enable the Check for Server Cert Revocation in IE 6.0 with Q323759
Patch (and also IE 5.0)
3. We revoked the Server SSL certificate and generated a CRL and then
published it at the above URL
4. We then connect to the IIS Web Server.
5. Our Observations are:
1. IE seems to download the CRL to Temporary Internet Files using
2. However, it simply ALLOWS access to the web site.
Why is this behavior? Can anybody please explain.
From: Michael Howard [mailto:mikehowmicrosoft.com]
Sent: Saturday, September 14, 2002 1:46 AM
To: Raghavendran H. (SSG) - CTD, Chennai.; webappsecsecurityfocus.com
Subject: RE: Do Browsers (IE) really check CRLs correctly?
This is off by default in IE, and it looks at the CDP, assuming one is
Go to Tools -> Internet Options -> check for server cert revocatio
I assume you're using IE5+, BTW.
Writing Secure Code
From: Raghavendran H. (SSG) - CTD, Chennai.
Sent: Thursday, September 12, 2002 9:59 PM
Subject: Do Browsers (IE) really check CRLs correctly?
I was working on somethings relating to SSL when I had this question:
Do browsers primarily IE check for certificate revocation? If yes, do
they do a static CRL checking or do they look for the CRLDP extension in
the certificate and go and download the CRL from that particular URL and
perform CRL checking.
My initial analysis with a sniffer indicates no connection whatsoever to
the URL mentioned in the certificate CRLDP extension field.
Any insights is greately appreciated.
Thanks and Regards,