fun with CRLs!

Peter Gutmann pgut001 at
Fri Jan 9 21:07:12 EST 2004

>/. is reporting this, anyone know the real story?

The CryptoAPI list has been lit up end to end with mail about this.  The
summary from one poster (Tim Anderson <TimA at PREDATOR-SOFTWARE.COM>) is:

  IE5.x's digital signature expired yesterday. Every computer that uses
  WinVerifyTrust now has to have the "verify publisher certificate" dealy
  unchecked or the WinVerifyTrust call takes upwards of 5 minutes to complete.

The fix, as for the "We're from Microsoft, give us a certificate" fiasco of
two years ago, is an OS update from Microsoft to replace the certs.  Further
patches will be in Win2K SP5 and WinXP SP2.

ObSnideComment: It's a good thing 99.99% of PKI use is just window dressing,
  imagine if people were basing things like electronic funds transfers on
  technology as brittle as this: "Please wait 5 minutes for the server to time
  out so your funds can become available".


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list