Sadly, Thawte (which was purchased by Versign and is supposed to be the
second largest CA) does not include a CPD field in their server certificates
either.
Actually checking most of the CA certificates shipped with IE less than
half have a CPD field. Of the big CA only Entrust seems to use the field.
On the plus side if you use IE and go into Internet Options -> Advanced
-> Security and check the boxes next to "Check for publisher's certificate
revocation" and "Check for server certificate revocation" then you
will get a warning. IE won't pop up the warning when you visit a site
with a certificate without a CPD field but if you click on the lock
and bring up the certificate window you will see the following text:
"Windows cannot determine the validity of this certificate because it
cannot locate a valid certificate revocation list from the certificate
authority that issued this certificate."
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
