Database Properties
Database Type: PostgreSQL - 16.4 (Debian 16.4-1.pgdg120+2)
Schema public
standard public schema
Tables
| Table / View | Children | Parents | Columns | Rows | Type | Comments |
|---|---|---|---|---|---|---|
| revocation_candidates | 16 | 2 | 10 | -1 | Table | A certificate becomes a revocation candidate by being identified as containing a pwned key. Every revocation candidate is a potential notification, but we only send a notification once per (issuer, key) pair, as issuers should automatically revoke all certificates for a given key once that key has been notified as having been compromised. |
| ocsp_responses_2025_12 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_2 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_1 | 0 | 0 | 3 | -1 | Table | |
| ocsp_checks | 0 | 1 | 18 | -1 | Table | Every time an OCSP check is made for a revocation candidate (that is, a certificate which is using a known-compromised key), a record is made for that attempt in this table. As you might expect, things can get pretty big. Revocation status is checked on a per-candidate basis, rather than on a notification basis, to ensure that issuers are doing the right thing and revoking all certificates that use a key which they know to be compromised, even if a notification for that specific certificate was not received. This is in line with CABF BR requirements. |
| ocsp_checks_2024_12 | 0 | 1 | 18 | 100525 | Table | |
| revocation_request_emails | 0 | 2 | 9 | -1 | Table | Emails (attempted to be) sent to issuers to request revocation. |
| ocsp_checks_2024_10 | 0 | 1 | 18 | -1 | Table | |
| ocsp_checks_2025_8 | 0 | 1 | 18 | -1 | Table | |
| ocsp_responses_2025_11 | 0 | 0 | 3 | -1 | Table | |
| ocsp_checks_2024_11 | 0 | 1 | 18 | 97254 | Table | |
| ocsp_checks_2025_9 | 0 | 1 | 18 | -1 | Table | |
| ocsp_responses_2025_10 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_8 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_7 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_9 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_4 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_3 | 0 | 0 | 3 | 5126 | Table | |
| ocsp_responses_2025_6 | 0 | 0 | 3 | -1 | Table | |
| ocsp_responses_2025_5 | 0 | 0 | 3 | -1 | Table | |
| schema_migrations | 0 | 0 | 1 | -1 | Table | |
| revocation_request_pwnedkey_p10s | 0 | 2 | 10 | -1 | Table | HTTP(S) requests made to provide a pwnedkeys-legacy format PKCS10 attestation of key compromise. |
| ocsp_checks_2025_10 | 0 | 1 | 18 | -1 | Table | |
| issuer_contact_emails | 1 | 1 | 3 | -1 | Table | E-mail addresses for CAs to which we can request revocation. |
| ocsp_responses_2024_12 | 0 | 0 | 3 | 100005 | Table | |
| issuer_contact_pwnedkey_p10s | 1 | 1 | 3 | -1 | Table | HTTP(S) URL endpoints which will accept a POSTed PKCS10 (CSR) attestation of compromise in the older, pwnedkeys-specific format. |
| ocsp_responses_2024_11 | 0 | 0 | 3 | 97043 | Table | |
| ocsp_checks_2025_12 | 0 | 1 | 18 | -1 | Table | |
| ocsp_responses_2024_10 | 0 | 0 | 3 | -1 | Table | |
| ocsp_checks_2025_11 | 0 | 1 | 18 | -1 | Table | |
| revocation_requests | 3 | 1 | 3 | -1 | Table | Each (issuer, key) pair gets a single revocation request. Individual attempts to request revocation are recorded in the type-specific tables below. You might think you’d only need one attempt to request a revocation, but systems fail, so we keep a record of every attempt, for evidence of systemic attempts to avoid receive problem reports. |
| ocsp_checks_2025_6 | 0 | 1 | 18 | -1 | Table | |
| ocsp_checks_2025_7 | 0 | 1 | 18 | -1 | Table | |
| ocsp_checks_2025_4 | 0 | 1 | 18 | 37672 | Table | |
| ocsp_checks_2025_5 | 0 | 1 | 18 | 75221 | Table | |
| ocsp_responses | 0 | 0 | 3 | -1 | Table | Stores the full OCSP responses received from OCSP servers. This is kept out of the main |
| ocsp_checks_2025_2 | 0 | 1 | 18 | -1 | Table | |
| ocsp_checks_2025_3 | 0 | 1 | 18 | 5124 | Table | |
| ocsp_checks_2025_1 | 0 | 1 | 18 | -1 | Table | |
| issuers | 4 | 0 | 2 | -1 | Table | The set of issuers that we have contacts for. The “first” certificate in the chain that matches an entry in this table is getting the report. |
| most_recent_ocsp_checks | 0 | 0 | 18 | 0 | View | Provides the most recent successful (ie HTTP response was successful and the OCSP data was successfully validated) for every revocation candidate. |
| ocsp_response_publication_times | 0 | 0 | 4 | 0 | View | Provides an indication of when a particular OCSP response was first actually seen, which can be quite different from when the response metadata says it was created. |
| revocation_publication_time | 0 | 0 | 2 | 0 | View | Determine the time at which revocation is considered “published”, which we define as the last time we didn’t get a ‘revoked’ status in an OCSP response for that candidate (so as to give the issuer the benefit of the doubt). |
| successful_revocation_requests | 0 | 0 | 2 | 0 | View | |
| revocation_publication_delay | 0 | 0 | 8 | 0 | View | Provides our best estimate of the interval it took for a revocation to be published, based on OCSP response times. |
| ocsp_history | 0 | 0 | 3 | 0 | View | Provides the history of OCSP responses for revocation candidates, with duplicate OCSP responses suppressed so it’s easier to see how an OCSP status changed over time. |
| revocation_status | 0 | 0 | 5 | 0 | View | Provides a consolidated view of the revocation status of all unexpired revocation candidates. Includes information on how long it took to revoke the certificate, based on the interval between notification and the first OCSP response indicating revocation. |