Outlook isn't very good at automatically downloading the certificate
revocation list (CRL). Also, some CAs (Certificate Authorities) do not
specify the download path to their CRL, like Thawte. I tested a Thawte
freemail certificate and found OL2002 couldn't verify the certificate
(got the same error that you mention). I had to go to Thawte's web site
to *manually* download the CRL. That sucks. You must repeatedly
download revoke lists to keep them current, and then your program scans
through the list to see if the certificate is listed as bad. What idiot
contrived this scheme? That's like the not-so-good old days when clerks
had to get lists from banks or a service listing what checks were bad.
Recipients aren't going to do this providing they can even find where to
download the CRL. They also aren't going to do it often enough to keep
the revoke list current to guarantee that the certificate has not been
revoked (by the owner or by the CA).
According to
http://www.thawte.com/html/SUPPORT/email/iexplorer.html (CA
= Certificate Authority, like Thawte or Verisign):
----------
Error: "Windows cannot determine the validity of this certificate
because it cannot locate a valid certificate revocation list from the CA
which issued the certificate"
Microsoft Internet Explorer is shipped with the Certificate Revocation
List (CRL) Checking option enabled. Any Certification Authority does not
yet utilize this feature. The CRL protocol has since been superseded by
OCSP.
In order to remove this error message, you need to disable this option
in Internet Explorer:
View | Tools > Internet Options > Advanced > Security >
Un-tick "Check for Publisher's Certificate Revocation".
Close and reopen the browser.
The Thawte CRL can be manually downloaded, and added to the path in your
browser.
You can download the CRL from Thawte's Root Certificate Download page
https://www.thawte.com/cgi/lifecycle/roots.exe
Look for the "Thawte Server CA CRL".
----------
I don't know about their claim that no CA supports the auto-download of
CRLs; I've only experimented using Thawte's e-mail certificates. I
thought I had some e-mails with Thawte but cannot find them. I recall
that Thawte said Microsoft requires the CA be identified AND the path to
the CRL be specified so IE and Outlook would know from where to download
the CRL, and that Thawte doesn't supply that information in their
freemail certificates (don't know about their other certificate types).
Outlook 2002 doesn't support OCSP (see definition at
http://snurl.com/2nay and RFC 2560 at
http://snurl.com/2nb2), and I
don't know if Outlook 2003 supports it, either. OCSP makes more sense.
RFC 2560 is over 3 years old, but then I haven't checked to see if any
CAs support it, either. Since the old CRL scheme still had you contact
the CA to spend resources transferring a file, screw the revoke list and
have the CA server spend its resources to tell you if the certificate is
good or bad.
I know from trying to use and test Thawte freemail certificates that
those will not work with Outlook. Don't know about e-mail certificates
from other CAs. Since Thawte's freemail certificates are disbursed to
anyone asking for them and without any real identification, they are
worthless for identifying the sender. They are still usable for sending
encrypted e-mails.
In fact, trying to retrieve CRLs can slow Outlook a *LOT* but only if
you are Internet connected when you open a digitally signed or encrypted
e-mail (I have a cable connection so I'm always online). While sending
myself test e-mails that were either digitally signed or encrypted,
there would be long delays before Outlook would become responsive. It
was trying to find and download CRLs. See Microsoft's KB article #
287803 (
http://snurl.com/2nas).
