Peter Gutmann writes:
> The reason why revocation checking is disabled by default is a pragmatic
> one, in practice it acts as a "Delay processing each message by a minute
> or two" facility (or at least it did a year or so back), so by disabling
> it by default the vast masses (who don't know or care about it) get
> their PKI warm fuzzies, and those who turn it on get what they asked for
> (I don't use Outlook but if I did I'd certainly have it turned off).
Can you explain why it has this delay? Presumably it is because it has
to fetch a CRL? Is this because:
- CRLs are not cached but fetched every time?
- CRLs expire every week or so, and you probably don't get more than
one encrypted message a week, so your previous CRL has expired?
- CRLs are issued by dozens of different CAs, and you probably don't
ever receive two messages from people certified by the same CA, so
you don't have a CRL from the CA you need?
None of these seem particularly plausible. Is there another reason?