Temporal Analysis of X.509 Revocations and their Statuses

Abstract

Despite the X.509 public key infrastructure (PKI) being essential for ensuring the trust we place in our communication with web servers, the revocation of the trust placed in individual X.509 certificates is neither transparent nor well-studied, leaving many unanswered questions. In this paper, we present a temporal analysis of 36 million certificates, whose revocation statuses we followed for 120 days since first being issued. We characterize the revocation rates of different certificate authorities (CAs) and how the rates change over the lifetime of the certificates. We identify and discuss several instances where the status changes from “revoked” to “good”, “unauthorized” or “unknown”, respectively, before the certificate's expiry. This complements prior work that has observed such inconsistencies in some CAs' behavior after expiry but also highlight a potentially more severe problem. Our results highlight heterogeneous revocation practices among the CAs.