Summary of changes to the CryptoAPI certificate chain validation logic in Q835732 on Windows 2000 Service Pack 2 or later versions (887195)

MORE INFORMATION

CryptoAPI uses the Winhttp.dll library for network retrieval instead of the Wininet.dll library. Therefore, the following conditions may occur:

• HTTPS URLs are no longer supported as distribution point references because using HTTPS URLs may generate recursion revocation loops.
• FTP URLs are no longer supported.
• The Microsoft Cryptography API (CAPI) supports only automatic proxy configuration by using JavaScript-based scripts. For example, .js, .pac, .jvs, and .dat scripts.
  
  For additional information about manual proxy configurations, click the following article number to view the article in the Microsoft Knowledge Base:

  841641 IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings

• CryptoAPI no longer uses the Microsoft Internet Explorer (Wininet.dll) cache. Instead, it maintains a separate disk cache in the C:\Documents and Settings\UserName\Application Data\Microsoft\CryptnetUrlCache folder.
• Authentication to proxy servers that do not use Windows Integrated Authentication in some applications may fail. This behavior occurs because the Winhttp.dll library is designed for use by non-interactive services and does not prompt the user for network credentials.

Default network timeouts values have changed. This change was first made to address the problem of CAPI blocking for a long time during Certificate Revocation List (CRL) retrievals when the target URL is inaccessible. By default, the new timeout is 15 seconds for each retrieval and 20 seconds for each chain validation.

When it processes certificates with the Authority Information Access (AIA) extension, CryptoAPI will only process a maximum of five URLs for each certificate or 10 URLs for each certificate chain. CryptoAPI also limits the amount of data that is retrieved for each certificate chain to 100,000 bytes. These limitations are intended to reduce the potential use of AIA references in denial of service attacks.

Cross-certificate discovery and inclusion are supported through the Cross Certificate Distribution Point extension (xDP). The following features are also supported:

• Delta CRLs are fully supported.
• The critical Issuer Distribution Point (IDP) extension in CRL is supported.
  
  Note CRLs with both onlyContainsUserCerts and onlyContainsCACerts bits that are set in the IDP will be rejected.
• Name and policy constraints in certificates are supported.
• Criticality flags in CRL extensions are respected.
• Base-64 encoded CRLs are correctly processed.
• X.500-style distinguished names for CRL and AIA references are supported.
• The issue where CryptoAPI may select a revoked certificate instead of an active certificate when the issuing Certification Authority (CA) has two certificates has been resolved.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: