Last night, as an experiment, I revoked one of my Thawte Freemail certificates. Today I sent myself a message signed with that now-bogus cert. Few people have ever used an S/MIME cert. Still fewer, I am sure, have explored how email software deals with a CRL (certificate revocation list).
I tried the experiment in Outlook and Mozilla. Neither will automatically acquire the CRL, which for Thawte is available from this page . Fetching the CRL into Outlook yields a nice-looking CRL viewer. But, so far as I can tell, Outlook ignores the CRL. To it, my message with the bogus signature looks normal.
In Mozilla, when you fetch the CRL, it volunteers to refresh it on a scheduled basis, even daily if you like. That's very nice, but what's even nicer is that Mozilla actually respects the CRL. When I viewed the message signed with the bogus cert, the pencil icon that signifies a signed message in Mozilla appeared broken, as it should. Outstanding!
Former URL: http://weblog.infoworld.com/udell/2002/07/01.html#a324