Abstract
Managing public key certificates revocation has long been a central issue in public key infrastructures. Though various certificate revocation mechanisms have been proposed to address this issue, little effort has been devoted to the empirical analysis of real-world certificate revocation data. In this paper, we conduct such an empirical analysis based on a large amount of data collected from VeriSign. Our study enables us to understand how long a revoked certificate lives and what the difference is in the lifetime of revoked certificates by certificate types, geographic locations, and organizations. Our study also provides a solid foundation for future research on optimal management of certificate revocation for different types of certificates requested from different organizations and located in different geographic locations.
The work of Shouhuai Xu was supported in part by ARO, NSF and UTSA CIAS.
Chapter PDF
Similar content being viewed by others
References
VeriSign certification practice statement, version 3.4. Internet proposed standard RFC 2560 (April 2007), http://www.verisign.com/repository/CPS/VeriSignCPSv3.4.pdf
Cooper, D.A.: A model of certificate revocation. In: ACSAC 1999: Proceedings of the 15th Annual Computer Security Applications Conference, pp. 256–264. IEEE Computer Society (1999)
Fox, B.L., LaMacchia, B.A.: Certificate revocation: Mechanics and meaning. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 158–164. Springer, Heidelberg (1998)
Gunter, C.A., Jim, T.: Generalized certificate revocation. In: Symposium on Principles of Programming Languages, pp. 316–329 (2000)
Housley, R., Ford, W., Polk, W., Solo, D.: RFC 2459: Internet X.509 public key infrastructure certificate and CRL profile, Status: Proposed standard (January 1999)
Jain, G.: Certificate revocation: A survey, http://citeseer.ist.psu.edu/511985.html
Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)
Li, N., Feigenbaum, J.: Nonmonotonicity, user interfaces, and risk assessment in certificate revocation (position paper). In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 166–177. Springer, Heidelberg (2002)
Ma, C., Hu, N., Li, Y.: On the release of crls in public key infrastructure. In: Proceedings 15th USENIX Security Symposium, Vancouver, Canada, pp. 17–28 (2006)
McDaniel, P., Rubin, A.: A response to can we eliminate certificate revocation lists? In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 245–258. Springer, Heidelberg (2001)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 internet public-key infrastructure — online certificate status protocol (OCSP). Internet proposed standard RFC 2560 (June 1999)
Naor, M., Nissim, K.: Certificate revocation and certificate update. In: Proceedings 7th USENIX Security Symposium, San Antonio, Texas (1998)
Rivest, R.L.: Can we eliminate certificate revocations lists? In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 178–183. Springer, Heidelberg (1998)
Stubblebine, S.: Recent-secure authentication: Enforcing revocation in distributed systems. In: Proceedings 1995 IEEE Symposium on Research in Security and Privacy, May 1995, pp. 224–234 (1995)
Wohlmacher, P.: Digital certificates: a survey of revocation methods. In: Multimedia 2000: Proceedings of the 2000 ACM workshops on Multimedia, pp. 111–114. ACM Press, New York (2000)
Zheng, P.: Tradeoffs in certificate revocation schemes. Computer Communication Review 33(2), 103–112 (2003)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Walleck, D., Li, Y., Xu, S. (2008). Empirical Analysis of Certificate Revocation Lists. In: Atluri, V. (eds) Data and Applications Security XXII. DBSec 2008. Lecture Notes in Computer Science, vol 5094. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70567-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-70567-3_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70566-6
Online ISBN: 978-3-540-70567-3
eBook Packages: Computer ScienceComputer Science (R0)