Validating Digital Certificates in Outlook
Understand the process that Outlook uses to validate digital certificates.
March 23, 2003
When a Certificate Authority (CA) issues a certificate, the certificate has a set of associated attributes that show information such as who the certificate is for, the time period for which the certificate is valid, and where the certificate revocation list (CRL) is located. Figure A shows some of these attributes. Out of the box, Outlook 2000 knows to examine a certificate to ensure that the certificate was used between the Valid from and Valid to dates, but Outlook doesn't check the CRL to see whether the CA has revoked the certificate. To configure Outlook 2000 to check a CRL, you need to edit the registry. Open a registry editor and navigate to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography subkey. Create a new subkey called {7801ebd0-cf4b-11d0-851f-0060979387ea}. In this subkey, create a new REG_DWORD value named PolicyFlags, and set it to 10000 (hexadecimal format). When you restart Outlook, it will check a CRL when evaluating a certificate. Also, be sure to apply Microsoft Office Service Release 1a (SR1a) or later. Before this release, if Outlook didn't validate a digital signature because the certificate wasn't in the certificate store or because the certificate was listed on a CRL, Outlook generated a warning message that simply stated a validation problem exists but provided no details about the cause of the failure. Earlier Outlook versions also erroneously show the certificate as Certificate not revoked even though the certificate is listed on a CRL.
You need to consider two other things in relation to CRLs, but both are intrinsic to any application that uses certificates. First, when a CA publishes a CRL, the CA assigns an expiration date. To speed certificate checking, Outlook retrieves a CRL and caches it. Outlook won't go get another CRL for the same CA until the current CRL has expired. Outlook won't know about any certificates added to the CRL until the cached CRL expires.
Second, CRLs are made available through CRL Distribution Points (CDPs). Outlook can access the CDPs through a file share, FTP, Lightweight Directory Access Protocol (LDAP), or HTTP (the CA determines the mechanism). If the CDP isn't accessible or Outlook has to go and retrieve a new CRL, a delay will occur when a user opens the message. The longest delay will occur when Outlook can't access the CDP.
About the Author
You May Also Like