Comment 140 for bug 232340

Unfortunately, IE does not check CRLs by default, so 99.9% of home users would have not detected the revoked cert. Hence the move by MS to sidestep the CRL and hard-code the invalid cert into IE. My guess is that if Verisign had issued the certificate for "Oracle Corporation" MS would have been happy to leave their users vulnerable...