CRLs (was Re: Verisign certificates problem

[Michael Reilly <michaelr () CISCO COM>]

> > Actually checking most of the CA certificates shipped with IE less than
> > half have a CPD field.

How many of those certs are self signed root certs?  A CDP in a self signed
root cert is, obviously, useless since the revoked cert contains the key
used to sign the CRL.  The fact that the cert is revoked means that anything
signed by the public key (including the CRL) contained in that cert is
suspect if it was signed after the cert was revoked.

> > That I know of, Entrust.net, SITA, and EQUANT all have functioning CRLs
(They
> > use CDP's for slightly more efficient handling of large CRLs)

Verisign also has functioning CRLs.  Some of their customers use them and
some do not.  I do not know what Verisign's policy is regarding a CDP in a
cert they issue.

Verisign did not use the OPTIONAL CDP extension until recently.

To me, Microsoft should be responsible for their code which disables CRL
checking and which makes it hard to even determine that CRL checking is
disabled.  Note that Microsoft's IPSec implementation in Windows 2000 also
does not check CRLs by default.

michael