diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 8b34085e4..4298e4350 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -440,9 +440,14 @@ change it.
 @itemx --disable-crl-checks
 @opindex enable-crl-checks
 @opindex disable-crl-checks
-By default the @acronym{CRL} checks are enabled and the DirMngr is used
-to check for revoked certificates.  The disable option is most useful
-with an off-line network connection to suppress this check.
+By default the @acronym{CRL} checks are enabled and the DirMngr is
+used to check for revoked certificates.  The disable option is most
+useful with an off-line network connection to suppress this check and
+also to avoid that new certificates introduce a web bug by including a
+certificate specific CRL DP.  The disable option also disables an
+issuer certificate lookup via the authorityInfoAccess property of the
+certificate; the @option{--enable-issuer-key-retrieve} can be used
+to make use of that property anyway.
 
 @item  --enable-trusted-cert-crl-check
 @itemx --disable-trusted-cert-crl-check
diff --git a/sm/certchain.c b/sm/certchain.c
index 2d2aec338..1555a84a7 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -929,15 +929,19 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
         }
 
       /* If we still didn't found it, try an external lookup.  */
-      if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
+      if (rc == -1 && !find_next && !ctrl->offline)
         {
-          if (!find_up_via_auth_info_access (ctrl, kh, cert))
+          /* We allow AIA also if CRLs are enabled; both can be used
+           * as a web bug so it does not make sense to not use AIA if
+           * CRL checks are enabled.  */
+          if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
+              && !find_up_via_auth_info_access (ctrl, kh, cert))
             {
               if (DBG_X509)
                 log_debug ("  found via authorityInfoAccess.caIssuers\n");
               rc = 0;
             }
-          else
+          else if (opt.auto_issuer_key_retrieve)
             {
               rc = find_up_external (ctrl, kh, issuer, keyid);
               if (!rc && DBG_X509)
@@ -1001,15 +1005,16 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
     }
 
   /* Still not found.  If enabled, try an external lookup.  */
-  if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next)
+  if (rc == -1 && !find_next && !ctrl->offline)
     {
-      if (!find_up_via_auth_info_access (ctrl, kh, cert))
+      if ((opt.auto_issuer_key_retrieve || !opt.no_crl_check)
+          && !find_up_via_auth_info_access (ctrl, kh, cert))
         {
           if (DBG_X509)
             log_debug ("  found via authorityInfoAccess.caIssuers\n");
           rc = 0;
         }
-      else
+      else if (opt.auto_issuer_key_retrieve)
         {
           rc = find_up_external (ctrl, kh, issuer, NULL);
           if (!rc && DBG_X509)