Delta CRLs
CRLs publish details about revoked certificates. You might need to revoke certificates because the owner believes that the private key has been compromised or because the owner is no longer allowed access to a system that uses certificate-based authentication. In Win2K Certificate Services, CRLs must be downloaded to clients in their entirety. In large environments, CRLs can grow to a size that becomes unmanageable and difficult to download each time the client needs to check the CRL. In Windows 2003, Certificate Services clients can download a full CRL, then download changes, or deltas, to the CRL until the full CRL is republished.
You revoke certificates by using the Certification Authority snap-in, right-clicking a certificate, selecting All Tasks, then selecting Revoke Certificate. As certificates are revoked, Certificate Services manages the full and delta CRLs. Clients will download the full CRL if they don’t have one or if it has expired. The next time the client needs a CRL, the client can download a delta CRL. The default expiration period for a full CRL is one week after it’s published; the default expiration period for a delta CRL is one day.
Windows 2003 Certificate Services: A Robust PKI
Although I’ve discussed several key Windows 2003 Certificate Services features, I’ve barely scratched the surface of what Certificate Services offers. Additional new features include qualified subordination, enhanced auditing, and separation of roles. Together, these features make Windows 2003 Certificate Services a robust PKI suited to the enterprise. For more information about Windows 2003 Certificate Services, including links to white papers and downloads, visit http://www.microsoft.com/windowsserver2003/ technologies/pki/default.mspx.
John Howie (jhowie@microsoft.com) is the director of the World Wide Services and IT Technical Community for Security at Microsoft. He has more than 15 years of experience in information security and is a CISA, a CISM, and a CISSP.
Register
