Re: forced CRL refresh/update with EAP-TLS
From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 02/20/04
- Next message: Sam Salhi [MSFT]: "Re: IAS Security"
- Previous message: Sam Salhi [MSFT]: "Re: Disable fragmentation of EAP packets"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: forced CRL refresh/update with EAP-TLS"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 20 Feb 2004 11:48:28 -0800
IAS doesn't store the CRL, PKI does. This CRL is not flushable. although,
the metadata in a specific certificate can be modified to point to a file
IAS uses certificate to identify and validate the user credentials. It
doesn't use the certificate to authorize the user. It needs an account in AD
that the certificate maps to.
I will say it again, Restricting access based on certificate revocation IS
NOT RECOMMENDED!
Disable/lock/expire/remove dial in the user account instead
-- =========================================================== This posting is provided "AS IS" with no warranties and confers no rights =========================================================== <anonymous@discussions.microsoft.com> wrote in message news:12a9201c3f751$a1746f80$a101280a@phx.gbl... > My understanding of CRL processing is that any application > call CryptoAPI for CRL processing, and that the CA > software makes CRL information available for CRL > processing as applications so request. > > The URL from the MSFT site I posted previously included > the words "it is also possible > >> to store a local copy of the CRL on the IAS server" - > which would not seem consistent with your comment of IAS > not storing anything. > > It does not make sense to me that IAS would store anything > either. It does however make sense that the CryptoAPI > processing that IAS does call could in fact store or cache > the CRL - much in the same way that IIS does. (see > http://support.microsoft.com/default.aspx?scid=kb;EN- > US;289749 for a discussion about CRL caching and IIS). > > How can I force a flush or ensure that the CRL DP in the > cert. is "freshly" retrieved - as opposed to a potentially > stale one inside CryptoAPI - so that IAS will block > someone. > > Thanks.... > > I suggest that IAS needs to make the correct sort of > CryptoAPI calls. > >-----Original Message----- > >The storage of the local CRL has nothing to do with IAS. > >IAS does NOT store anything, the PKI infrastructure does > that, IAS is just a > >consumer of that > > > > > >-- > >========================================================== > = > >This posting is provided "AS IS" with no warranties and > confers no rights > >========================================================== > = > > > > > >"Paul" <anonymous@discussions.microsoft.com> wrote in > message > >news:d91c01c3f038$25d58190$a101280a@phx.gbl... > >> I am familiar with CRL DP...but many products have a way > >> to have some "control" on caching this so that CRL > >> retrieval does not become a authentication throttle due > >> CRL retrieval - especially if the CRL DP has not > changed. > >> > >> The information at URL > >> http://www.microsoft.com/technet/treeview/default.asp? > >> url=/technet/prodtechnol/winxppro/deploy/ed80211.asp > would > >> imply that IAS does indeed store a CRL (see the > following). > >> > >> "By default the IAS server uses the CRL distribution > >> points in the certificates. However, it is also possible > >> to store a local copy of the CRL on the IAS server. In > >> this case, the local CRL is used during certificate > >> revocation checking. If a new CRL is manually published > to > >> the Active Directory, the local CRL on the IAS server is > >> not updated. The local CRL is updated when it expires. > >> This can create a situation wherein a certificate is > >> revoked, the CRL is manually published, but the IAS > server > >> still allows the connection because the local CRL has > not > >> yet been updated." > >> > >> Which seems to imply both are possible. > >> >-----Original Message----- > >> >IAS does not store CRL. Each client certificate has a > CRL > >> distribution > >> >points, which is a URL link that publishes the CRL for > >> that cert. IAS goes > >> >that site to check the client cert's revocation. > >> > > >> >-- > >> > >========================================================= > >> >This post is provided AS IS with no warranties, and > >> confer no rights > >> > >========================================================= > >> > > >> > > >> >"Paul" <anonymous@discussions.microsoft.com> wrote in > >> message > >> >news:e1fa01c3f027$e8199f90$a401280a@phx.gbl... > >> >> Short of waiting until W2K or W2K3 IAS has detected > that > >> >> the CRL has expired - and therefore retrieved a new > one, > >> >> how can the CRL stored by IAS be updated (or deleted > to > >> >> force a read/refresh). > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: Sam Salhi [MSFT]: "Re: IAS Security"
- Previous message: Sam Salhi [MSFT]: "Re: Disable fragmentation of EAP packets"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: forced CRL refresh/update with EAP-TLS"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
