• In figure 1 Below we show the distribution of the revocation reasons for the Alexa top 1 million websites.
• In figure 2 and figure 3 we show the certificate types in the same group of million web pages.
• There were 987 CRLs referenced by the Alexa top million sites. However, out of these there were 215
CRLs who have no revoked certificates.
• The total number of revoked certificates in these CRLs is (2,650,548).
• Only 19 CRLs (out of 772) were touched by 70.39% of the one million connections touched. These
CRLs revoked 125,429 certificates only. Their total size was 4.2 MB.
• If we include the information of the top 102 CRLs that revoked 492,238 certificates, we will be satisfying
93.24% of the connections. The total size of those is 18.3 MB.
• 369 CRLs were referred to in CAs certificates (determined by Basic Constraint). Only 223 were re-
sponsive.
• The total number of revoked certificates in those 223 CRLs were 389,633.
We also analyzed the revocation information propose by Google in their CRLSet solution. The following
interesting data point were gathered from Google’s latest CRLSet:
• The latest update of Google’s CRLSet have (24,156) revoked certificates in their set.
• These certificates were revoked by 46 CAs only.
4 Important Considerations
To have a good revocation model(s) the following issues must be taking into consideration.
• Security: Does the new model introduce new trust anchors, maintain the current trust anchors or
reduces/limits the current trust anchors?
• Security: Does the new model has false positives/negatives?
• Security: How easy it is to add/delete/modify revocation information?
• Privacy: Does the new model violates the user’s privacy?
• Deployability: Does the new model require changes at the user’s side (browsers), the server’s side
and/or the CA side? Requiring changes at the user’s side only require a handful of major browsers
3