The modern Internet is highly dependent on the trust communicated via X.509
certificates. However, in some cases certificates become untrusted and it is
necessary to revoke them. In practice, the problem of secure certificate
revocation has not yet been solved, and today no revocation procedure (similar
to Certificate Transparency w.r.t. certificate issuance) has been adopted to
provide transparent and immutable history of all revocations. Instead, the
status of most certificates can only be checked with Online Certificate Status
Protocol (OCSP) and/or Certificate Revocation Lists (CRLs). In this paper, we
present the first longitudinal characterization of the revocation statuses
delivered by CRLs and OCSP servers from the time of certificate expiration to
status disappearance. The analysis captures the status history of over 1
million revoked certificates, including 773K certificates mass-revoked by Let’s
Encrypt. Our characterization provides a new perspective on the Internet’s
revocation rates, quantifies how short-lived the revocation statuses are,
highlights differences in revocation practices within and between different
CAs, and captures biases and oddities in the handling of revoked certificates.
Combined, the findings motivate the development and adoption of a revocation
transparency standard.

By admin