* Faro Poplar wrote: > Has anyone noticed that Windows doesn't verify the digital signature > of CRL files (*.crl). Yes, I noticed that about 2 years ago. IMO this is no security issue. CRLs are retrieved from the certificate store via CertGetCRLFromStore. Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ seccrypto/security/certverifycrlrevocation.asp). Thomas Walpuski
