Summary of changes to the CryptoAPI certificate chain validation logic in Windows XP Service Pack 2

This article describes the changes that were made to the CryptoAPI certificate chain validation logic in Microsoft Windows XP Service Pack 2 (SP2).

The CryptoAPI certificate uses the Winhttp.dll process for network retrieval instead of the Wininet.dll process that is used in pre-SP2 versions of Windows XP. Therefore, Windows XP SP2 exhibits the following new functionality:

• HTTPS Uniform Resource Locators (URLs) are no longer supported as distribution point references.
  
  Note HTTPS URLs may generate recursion revocation loops.
• File Transfer Protocol (FTP) URLs are no longer supported.
• A Microsoft Cryptography API (CAPI) supports only auto-proxy configuration through JavaScript-based scripts.
  
  Note JavaScript-based scripts include those with .js, .pac, .jvs, and .dat extensions.
• The CryptoAPI certificate no longer uses the Microsoft Internet Explorer cache (Wininet.dll). Instead, it maintains a separate disk cache at the following location:
  C:\Documents and Settings\user name\Application Data\Microsoft\CryptnetUrlCache
• Authentication to proxy servers that do not use Windows Integrated Authentication in certain programs may be unsuccessful. This issue occurs because the Winhttp.dll process is designed for use by non-interactive services and does not prompt the user for network credentials.
• Default network timeout values have been changed. These changes were first made to address the problem of CAPI cryptography blocking for extended periods during Certificate Revocation List (CRL) retrievals when the target URL is inaccessible. The new default timeout values are 15 seconds per retrieval and 20 seconds per chain validation.
• When CryptoAPI processes certificates with the Authority Information Access (AIA) extension, it handles a maximum of only 5 URLs per certificate or 10 URLs per certificate chain. CryptoAPI also limits the data that is retrieved per certificate chain to 100,000 bytes. These limitations are designed to reduce the potential use of AIA references in denial of service attacks.
• The issue where CryptoAPI may select a revoked certificate instead of an active certificate when the issuing certification authority (CA) has two certificates is now resolved. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  841641  (http://support.microsoft.com/kb/841641/ ) IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings
  329433  (http://support.microsoft.com/kb/329433/ ) A revoked certificate is selected if a certification authority in the chain has two certificates