Problems in Revocation (cont.)


Example: Microsoft Security Bulletin MS01-017

VeriSign code-signing certs don't list a CRL Distribution Point (CDP) - and even if they did, CRL checking is OFF by default in IE!

Microsoft is shipping an update to Windows 95/98/Me/NT/2000 which claims to enable this - but how do you trust the update? :-)

If we need to check CRLs every time, we may as well use a symmetric-key third party KDC (e.g. Kerberos) to arbitrate trust!