15th USENIX Security Symposium Abstract
Pp. 1728 of the Proceedings
On the Release of CRLs in Public Key Infrastructure
Chengyu Ma, Beijing University; Nan Hu and Yingjiu Li, Singapore Management University
Public key infrastructure provides a promising foundation
for verifying the authenticity of communicating parties
and transferring trust over the internet. The key issue
in public key infrastructure is how to process certificate
revocations. Previous research in this aspect has concentrated
on the tradeoffs that can be made among different
revocation options. No rigorous efforts have been
made to understand the probability distribution of certificate revocation requests based on real empirical data.
In this study, we first collect real empirical data from
VeriSign and derive the probability function for certificate revocation requests. We then prove that a revocation
system will become stable after a period of time. Based
on these, we show that different certificate authorities
should take different strategies for releasing certificate
revocation lists for different types of certificate services.
We also provide the exact steps by which certificate authorities
can derive optimal releasing strategies.
- View the full text of this paper in PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.