This is a discussion on On which criteria is outlook's (and web browsers) CRL check based? (Cache, file dates,...) - Openssl ; Hi, Here is the situation: I have generated the following Public Key Infrastructure with NewPKI: Root CA (crlDistributionPoint : http://www.mysite.com/mycrls/root_ca.crl ) -> Child CA 1 (crlDistributionPoint : http://www.mysite.com/mycrls/ca_1.crl ) -> Child SMIME CA (crlDistributionPoint : http://www.mysite.com/mycrls/ca_1_smime.crl ) -> smime certificate ...
Hi,
Here is the situation:
I have generated the following Public Key Infrastructure with NewPKI:
Root CA (crlDistributionPoint :
http://www.mysite.com/mycrls/root_ca.crl)
-> Child CA 1 (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_1.crl)
-> Child SMIME CA (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_1_smime.crl)
-> smime certificate for user 1
...
-> smime certificate for user i
...
-> smime certificate for user n
-> Child CYPHER CA (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_1_cypher.crl)
-> cypher certificate for user 1
...
-> cypher certificate for user i
...
-> cypher certificate for user n
...
-> Child CA N (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_N.crl)
-> Child SMIME CA (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_N_smime.crl)
-> smime certificate for user 1
...
-> smime certificate for user j
...
-> smime certificate for user z
-> Child CYPHER CA (crlDistributionPoint :
http://www.mysite.com/mycrls/ca_N_cypher.crl)
-> cypher certificate for user 1
...
-> cypher certificate for user j
...
-> cypher certificate for user z
I created an online crl distribution point repository:
http://www.mysite.com/mycrls/
All CRLs' validity period are set to 1 day.
I then tested all of this with Outlook express : activated online CRL
check in the options (disabled by default)
Whenever I revoke a user certificate and publish its parent CA CRL,
Outlook displays security warnings saying that the certificate has
indeed been revoked.
I then decided to make the following test : revoke an upper CA in the
certification chain like Child CA 1 for instance. I published a new CRL
from the top CA (Root CA) thus saying Child CA 1 has been revoked. Yet
Outlook did not "see" the change imediately. It somehow "waited" that
24 hours had ellapsed before cheking the CRL.
So I am wondering... Is Oulook storing the CA CRL somewhere (on the
disk, in a data base,...), as cache we might say, replacing it only 24
hours later? Is Outlook storing a view date only like "I checked this
CA CRL on DATE, check again on DATE + 24 hours ?
Thanks for any suggestions.
