Hi, I have 2Tier PKI infrastructure using 2008 R2 server in my existing environment. we are using certificate for Wireless (WLAN1964) authentication using radius server (NPS). Now we need to install some identity tool for this we have to disable "check for publisher's certificate revocation" in internet explorer in all machines using group policy. I want to know what would be the impact of disabling this option for existing PKI Infrastructure ? Any Suggestion. Thanks in Advance.

The impact is that you may be redirected to a specially crafted web page that installs signed application that is signed by revoked (untrusted) certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

What if I set the timeout for CRL to 1 Second inside "Network Retrieval" of "Certificate Path Validation Setting" group policy for entire domain. Does it impact in validating my internal CRL also which is published by my Internal CA's.

yes. This affects to all CRL retrievals.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

So last clarification Vadims. What you suggest in this situation, Should I go for disabling IE option "check for publisher's certificate revocation" only or should I configure GPO timeout for CRL to 1 Sec in "Certificate Path Validation Setting". What would be the best solution out of these two. Thanks in Advance

second option is not recommended.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

On Fri, 2 Sep 2011 07:15:17 +0000, Ajit_bangalore wrote: Now we need to install some identity tool for this we have to disable "check for publisher's certificate revocation" in internet explorer in all machines using group policy. What software requires you to set this policy? Frankly, if that is indeed a requirement then I'd tell the vendor that you're not going to use their software as it introduces a huge security hole in your network. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca People who deal with bits should expect to get bitten. -- Jon Bentley

That's what we are also trying to avoid. Anyway thanks for your suggestion.