On the Self-similarity Nature of the Revocation Data

  • Carlos Gañán
  • Jorge Mata-Díaz
  • Jose L. Muñoz
  • Oscar Esparza
  • Juanjo Alins
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


One of the hardest tasks of a Public Key Infrastructure (PKI) is to manage revocation. Different revocation mechanisms have been proposed to invalidate the credentials of compromised or misbehaving users. All these mechanisms aim to optimize the transmission of revocation data to avoid unnecessary network overhead. To that end, they establish release policies based on the assumption that the revocation data follows uniform or Poisson distribution. Temporal distribution of the revocation data has a significant influence on the performance and scalability of the revocation service. In this paper, we demonstrate that the temporal distribution of the daily number of revoked certificates is statistically self-similar, and that the currently assumed Poisson distribution does not capture the statistical properties of the distribution. None of the commonly used revocation models takes into account this fractal behavior, though such behavior has serious implications for the design, control, and analysis of revocation protocols such as CRL or delta-CRL.


Self-similarity Certification Public Key Infrastructure Revocation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Willinger, W., Paxson, V., Taqqu, M.S.: Self-similarity and heavy tails: structural modeling of network traffic, pp. 27–53 (1998)Google Scholar
  2. 2.
    Beran, J.: Statistics for Long-Memory Processes. Monographs on Statistics and Applied Probability. Chapman & Hall (1994)Google Scholar
  3. 3.
    Taqqu, M.S., Teverovsky, V., Willinger, W.: Estimators for long-range dependence: An empirical study. Fractals 3, 785–798 (1995)zbMATHCrossRefGoogle Scholar
  4. 4.
    Peng, C.K., Havlin, S., Stanley, H.E., Goldberger, A.L.: Quantification of scaling exponents and crossover phenomena in nonstationary heartbeat time series. Chaos Woodbury Ny 5(1), 82–87 (1995)CrossRefGoogle Scholar
  5. 5.
    Netcraft. Market share of certification authorities (2009), (accessed on May 2011)
  6. 6.
    Jain, G.: Certificate revocation: A survey, (accessed on May 2011)
  7. 7.
    Karagiannis, T., Faloutsos, M., Riedi, R.H.: Long-range dependence: now you see it, now you don’t. In: Proc. GLOBECOM 2002, pp. 2165–2169 (2002)Google Scholar
  8. 8.
    Leland, W.E., Taqqu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Trans. Netw. 2(1), 1–15 (1994)CrossRefGoogle Scholar
  9. 9.
    Cooper, D.A.: A model of certificate revocation. In: Fifteenth Annual Computer Security Applications Conference, pp. 256–264 (1999)Google Scholar
  10. 10.
    Cooper, D.A.: A more efficient use of Delta-CRLs. In: 2000 IEEE Symposium on Security and Privacy. Computer Security Division of NIST, pp. 190–202 (2000)Google Scholar
  11. 11.
    Technological infrastructure for pki and digital certification. Computer Communications 24(14), 1460–1471 (2001)Google Scholar
  12. 12.
    Fox, B., LaMacchia, B.: Certificate Revocation: Mechanics and Meaning. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 158–164. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Naor, M., Nissim, K.: Certificate Revocation and Certificate Update. IEEE Journal on Selected Areas in Communications 18(4), 561–570 (2000)CrossRefGoogle Scholar
  14. 14.
    Walleck, D., Li, Y., Xu, S.: Empirical Analysis of Certificate Revocation Lists. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 159–174. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Ma, C., Hu, N., Li, Y.: On the release of CRLs in public key infrastructure. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15, pp. 17–28 (2006)Google Scholar
  16. 16.
    Hu, N., Tayi, G.K., Ma, C., Li, Y.: Certificate revocation release policies. Journal of Computer Security 17, 127–157 (2009)Google Scholar
  17. 17.
    ITU/ISO Recommendation. X.509 Information Technology Open Systems Interconnection - The Directory: Autentication Frameworks, Technical Corrigendum (2000)Google Scholar
  18. 18.
    Ofigsbø, M.H., Mjølsnes, S.F., Heegaard, P., Nilsen, L.: Reducing the Cost of Certificate Revocation: A Case Study. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 51–66. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Carlos Gañán
    • 1
  • Jorge Mata-Díaz
    • 1
  • Jose L. Muñoz
    • 1
  • Oscar Esparza
    • 1
  • Juanjo Alins
    • 1
  1. 1.Telematics DepartmentUniversitat Politècnica de CatalunyaBarcelonaSpain

Personalised recommendations