Microsoft KB Archive/887195

= Summary of changes to the CryptoAPI certificate chain validation logic in Q835732 on Windows 2000 Service Pack 2 or later versions =

Article ID: 887195

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



INTRODUCTION
This article contains a summary of the changes that are made to the CryptoAPI certificate chain validation logic in the following security update for Microsoft Windows 2000 Service Pack 2 (SP2) or later versions:

835732 MS04-011: Security Update for Microsoft Windows

The information in this article also applies to the following hotfix:

329433 A revoked certificate is selected if a certification authority in the chain has two certificates

However, the Q329433 hotfix has been superseded by Q835732.



MORE INFORMATION
CryptoAPI uses the Winhttp.dll library for network retrieval instead of the Wininet.dll library. Therefore, the following conditions may occur:  HTTPS URLs are no longer supported as distribution point references because using HTTPS URLs may generate recursion revocation loops. FTP URLs are no longer supported. The Microsoft Cryptography API (CAPI) supports only automatic proxy configuration by using JavaScript-based scripts. For example, .js, .pac, .jvs, and .dat scripts.

For additional information about manual proxy configurations, click the following article number to view the article in the Microsoft Knowledge Base:

841641 IIS returns a &quot;403.13 Client Certificate Revoked&quot; error message after you install MS04-011 because of Wininet proxy settings

 CryptoAPI no longer uses the Microsoft Internet Explorer (Wininet.dll) cache. Instead, it maintains a separate disk cache in the C:\Documents and Settings\ \Application Data\Microsoft\CryptnetUrlCache folder. Authentication to proxy servers that do not use Windows Integrated Authentication in some applications may fail. This behavior occurs because the Winhttp.dll library is designed for use by non-interactive services and does not prompt the user for network credentials.

Default network timeouts values have changed. This change was first made to address the problem of CAPI blocking for a long time during Certificate Revocation List (CRL) retrievals when the target URL is inaccessible. By default, the new timeout is 15 seconds for each retrieval and 20 seconds for each chain validation.

When it processes certificates with the Authority Information Access (AIA) extension, CryptoAPI will only process a maximum of five URLs for each certificate or 10 URLs for each certificate chain. CryptoAPI also limits the amount of data that is retrieved for each certificate chain to 100,000 bytes. These limitations are intended to reduce the potential use of AIA references in denial of service attacks.

Cross-certificate discovery and inclusion are supported through the Cross Certificate Distribution Point extension (xDP). The following features are also supported:
 * Delta CRLs are fully supported.
 * The critical Issuer Distribution Point (IDP) extension in CRL is supported.

Note CRLs with both onlyContainsUserCerts and onlyContainsCACerts bits that are set in the IDP will be rejected.
 * Name and policy constraints in certificates are supported.
 * Criticality flags in CRL extensions are respected.
 * Base-64 encoded CRLs are correctly processed.
 * X.500-style distinguished names for CRL and AIA references are supported.
 * The issue where CryptoAPI may select a revoked certificate instead of an active certificate when the issuing Certification Authority (CA) has two certificates has been resolved.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

841632 You receive a &quot;403.13 client certificate revoked&quot; error message after you install the MS04-11 security update

841641 IIS returns a &quot;403.13 Client Certificate Revoked&quot; error message after you install MS04-011 because of Wininet proxy settings

841642 Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

835732 MS04-011: Security Update for Microsoft Windows

329433 A revoked certificate is selected if a certification authority in the chain has two certificates

Keywords: kbhowto kbinfo KB887195

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.