Re: Windows doesn't verify digital signature of CRL files
* Faro Poplar wrote:
> Has anyone noticed that Windows doesn't verify the digital signature
> of CRL files (*.crl).
Yes, I noticed that about 2 years ago. IMO this is no security issue.
CRLs are retrieved from the certificate store via CertGetCRLFromStore.
Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
seccrypto/security/certverifycrlrevocation.asp).
Thomas Walpuski