Information
This policy setting controls whether Outlook considers a missing certificate revocation list
(CRL) a warning or an error. Digital certificates contain an attribute that shows where the
corresponding CRL is located. CRLs contain lists of digital certificates that have been
revoked by their controlling certification authorities (CAs), typically because the
certificates were issued improperly or their associated private keys were compromised. If a
CRL is missing or unavailable, Outlook cannot determine whether a certificate has been
revoked. Therefore, an improperly issued certificate or one that has been compromised
might be used to gain access to data.
If you enable this policy setting, you can choose between two options that determine how
Outlook functions when a CRL is missing-
. Warning. This option is the default configuration in Outlook and ensures that
Outlook displays a warning message when a CRL is missing.
. Error. This option ensures that Outlook displays an error message when a CRL is
missing.
If you disable or do not configure this policy setting, Outlook displays a warning message
when a CRL is not available. The recommended state for this setting is- Enabled-Error.
*Rationale*
Digital certificates contain an attribute that shows where the corresponding CRL is located.
CRLs contain lists of digital certificates that have been revoked by their controlling
certification authorities (CAs), typically because the certificates were issued improperly or
their associated private keys were compromised.
If a CRL is missing or unavailable, Outlook 2010 cannot determine whether a certificate has
been revoked. Therefore, an improperly issued certificate or one that has been
compromised might be used to gain access to data.
By default, Outlook displays a warning message when a CRL is not available.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Enabled.
User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Signature Status dialog box\Missing CRLs\Missing CRLs
Then set the Indicate a missing CRL as a(n)- option to Error.
Impact-Enabling this setting and choosing 'Error' from the drop-down list will prevent Outlook
2010 users from using certificates when the appropriate CRL is not available to verify
them, which could increase desktop support requests.