[cabfpub] How old are publicly-trusted serverAuth certs when they are revoked?

Rob Stradling rob.stradling at comodo.com
Fri Feb 17 12:42:27 UTC 2017

I found this interesting, so I thought I'd share it.  :-)

Yesterday I ran a query on the crt.sh database to gather data on...

ageWhenRevoked = trunc(revocationDate - notBefore)

Here are the results:

The data set includes all revoked, unexpired serverAuth certs for which 
there's a known (to CT) serverAuth trust chain to any root cert that's 
trusted by at least one of the major root programs (Microsoft, Mozilla, 
Apple, Java).

There are some obviously bogus revocationDates in the data set (e.g., 
-920 days before the notBefore date!)  However, if we assume that most 
revocationDates in CRLs are accurate, these results show that, in 
general, the likelihood of revocation decreases approximately 
logarithmically as a certificate ages.
There are spikes around certificate birthdays, which are presumably due 
to (i) revalidation failures and/or (ii) customers cancelling regular 
payment agreements.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list