[cabfpub] How old are publicly-trusted serverAuth certs when they are revoked?
Rob Stradling
rob.stradling at comodo.com
Fri Feb 17 12:42:27 UTC 2017
I found this interesting, so I thought I'd share it. :-)
Yesterday I ran a query on the crt.sh database to gather data on...
ageWhenRevoked = trunc(revocationDate - notBefore)
Here are the results:
https://docs.google.com/spreadsheets/d/1-_2zFhUc1mKRNPOzH2alad-nX73xST-ouiy5aXRKiXs/edit?usp=sharing
The data set includes all revoked, unexpired serverAuth certs for which
there's a known (to CT) serverAuth trust chain to any root cert that's
trusted by at least one of the major root programs (Microsoft, Mozilla,
Apple, Java).
There are some obviously bogus revocationDates in the data set (e.g.,
-920 days before the notBefore date!) However, if we assume that most
revocationDates in CRLs are accurate, these results show that, in
general, the likelihood of revocation decreases approximately
logarithmically as a certificate ages.
There are spikes around certificate birthdays, which are presumably due
to (i) revalidation failures and/or (ii) customers cancelling regular
payment agreements.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list