Unfortunately, IE does not check CRLs by default, so 99.9% of home users would have not detected the revoked cert. Hence the move by MS to sidestep the CRL and hard-code the invalid cert into IE. My guess is that if Verisign had issued the certificate for "Oracle Corporation" MS would have been happy to leave their users vulnerable...
Unfortunately, IE does not check CRLs by default, so 99.9% of home users would have not detected the revoked cert. Hence the move by MS to sidestep the CRL and hard-code the invalid cert into IE. My guess is that if Verisign had issued the certificate for "Oracle Corporation" MS would have been happy to leave their users vulnerable...