The modern Internet is highly dependent on the trust communicated via X.509 certificates. However, in some cases certificates become untrusted and it is necessary to revoke them. In practice, the problem of secure certificate revocation has not yet been solved, and today no revocation procedure (similar to Certificate Transparency w.r.t. certificate issuance) has been adopted to provide transparent and immutable history of all revocations. Instead, the status of most certificates can only be checked with Online Certificate Status Protocol (OCSP) and/or Certificate Revocation Lists (CRLs). In this paper, we present the first longitudinal characterization of the revocation statuses delivered by CRLs and OCSP servers from the time of certificate expiration to status disappearance. The analysis captures the status history of over 1 million revoked certificates, including 773K certificates mass-revoked by Let's Encrypt. Our characterization provides a new perspective on the Internet's revocation rates, quantifies how short-lived the revocation statuses are, highlights differences in revocation practices within and between different CAs, and captures biases and oddities in the handling of revoked certificates. Combined, the findings motivate the development and adoption of a revocation transparency standard.
翻译:现代互联网高度依赖通过X. 509证书传递的信任,然而,在某些情况下,证书变得不可信,有必要予以撤销。实际上,安全证书撤销问题尚未解决,今天,没有采用任何撤销程序(类似于证书透明(w.r.t.证书的签发),以提供透明和不可更改的所有撤销历史。相反,大多数证书的状况只能通过在线证书状态协议和/或证书吊销名单(CRLs)来检查。在本文中,我们介绍了CRLs和OCSP服务器从证书到期到失踪期间所交付的撤销地位的第一次纵向定性。分析记录了100多万被撤销证书的状况历史,包括773K证书因Let's加密而大量更新。我们的定性为互联网的撤销率提供了一个新的视角,量化了撤销地位的寿命有多短,强调了不同CLs和不同CA之间的撤销做法的差异,并记录了处理被吊销证书过程中的偏差和奇特之处。综合了透明度结论,鼓励了取消标准的发展和采用。