Article
ID: 17729
Date: 26 April 2006
Updated: 18 December 2006
Question: What is the Certificate Revocation List (CRL)
Answer: Each company that uses Verisign's certificates, has a license to use the certificates which must be kept current (like a subscription) in order to continue to use Verisign's certificates. The CRL verification step is where the OTA Setup application and the GoodLink client (in the case of over the air upgrade) contacts http://crl.verisign.com/pca3.crl to verify that the certificate used to sign the GoodLink binary is not in the list of revoked certificates (meaning the subscription is current). It makes an HTTPS request to Verisign to get the list of revoked certificates to do this. The device *must* be able to pull the list. If it cannot, it is very likely that something at the carrier is blocking the request (firewall level). Additionally they could be reformating the request or reply in a fashion that the device's browser cannot support.
Orange UK, is a known carrier to be filtering this.
Additional Information: Please also see KB Article 17635: Provisioning Stuck on Verifying Certificates