On the Self-similarity Nature of the Revocation Data
- 1.1k Downloads
One of the hardest tasks of a Public Key Infrastructure (PKI) is to manage revocation. Different revocation mechanisms have been proposed to invalidate the credentials of compromised or misbehaving users. All these mechanisms aim to optimize the transmission of revocation data to avoid unnecessary network overhead. To that end, they establish release policies based on the assumption that the revocation data follows uniform or Poisson distribution. Temporal distribution of the revocation data has a significant influence on the performance and scalability of the revocation service. In this paper, we demonstrate that the temporal distribution of the daily number of revoked certificates is statistically self-similar, and that the currently assumed Poisson distribution does not capture the statistical properties of the distribution. None of the commonly used revocation models takes into account this fractal behavior, though such behavior has serious implications for the design, control, and analysis of revocation protocols such as CRL or delta-CRL.
KeywordsSelf-similarity Certification Public Key Infrastructure Revocation
Unable to display preview. Download preview PDF.
- 1.Willinger, W., Paxson, V., Taqqu, M.S.: Self-similarity and heavy tails: structural modeling of network traffic, pp. 27–53 (1998)Google Scholar
- 2.Beran, J.: Statistics for Long-Memory Processes. Monographs on Statistics and Applied Probability. Chapman & Hall (1994)Google Scholar
- 5.Netcraft. Market share of certification authorities (2009), https://ssl.netcraft.com/ssl-sample-report/CMatch/certs (accessed on May 2011)
- 6.Jain, G.: Certificate revocation: A survey, http://csrc.nist.gov/pki/welcome.html (accessed on May 2011)
- 7.Karagiannis, T., Faloutsos, M., Riedi, R.H.: Long-range dependence: now you see it, now you don’t. In: Proc. GLOBECOM 2002, pp. 2165–2169 (2002)Google Scholar
- 9.Cooper, D.A.: A model of certificate revocation. In: Fifteenth Annual Computer Security Applications Conference, pp. 256–264 (1999)Google Scholar
- 10.Cooper, D.A.: A more efficient use of Delta-CRLs. In: 2000 IEEE Symposium on Security and Privacy. Computer Security Division of NIST, pp. 190–202 (2000)Google Scholar
- 11.Technological infrastructure for pki and digital certification. Computer Communications 24(14), 1460–1471 (2001)Google Scholar
- 15.Ma, C., Hu, N., Li, Y.: On the release of CRLs in public key infrastructure. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, pp. 17–28 (2006)Google Scholar
- 16.Hu, N., Tayi, G.K., Ma, C., Li, Y.: Certificate revocation release policies. Journal of Computer Security 17, 127–157 (2009)Google Scholar
- 17.ITU/ISO Recommendation. X.509 Information Technology Open Systems Interconnection - The Directory: Autentication Frameworks, Technical Corrigendum (2000)Google Scholar