revocation_candidates

-1 rows


Description

A certificate becomes a revocation candidate by being identified as containing a pwned key. Every revocation candidate is a potential notification, but we only send a notification once per (issuer, key) pair, as issuers should automatically revoke all certificates for a given key once that key has been notified as having been compromised.

Columns

Column Type Size Nulls Auto Default Children Parents Comments
id uuid 2147483647 null
ocsp_checks.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2024_10.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2024_11.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2024_12.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_1.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_10.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_11.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_12.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_2.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_3.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_4.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_5.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_6.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_7.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_8.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
ocsp_checks_2025_9.revocation_candidate_id ocsp_checks_revocation_candidate_id_fkey R
spki_fingerprint bytea 2147483647 null
certificate_der bytea 2147483647 null
ocsp_cert_id bytea 2147483647 null
chain_der _bytea 2147483647 '{}'::bytea[]
not_after timestamp 29,6 null

So we don’t keep requesting revocation of a certificate after it’s expired
first_sct_time timestamp 29,6 null

The time of the first SCT for the certificate, so we can better track when issuers should have been revoking the cert
ocsp_uri text 2147483647 null
issuer_id uuid 2147483647 null
issuers.id revocation_candidates_issuer_id_fkey R

The issuer we’ve identified as being most appropriate to receive revocation requests
revocation_request_id uuid 2147483647 null
revocation_requests.id revocation_candidates_revocation_request_id_fkey R

The ‘successful’ revocation request for the key in this certificate, if one has been completed

Indexes

Constraint Name Type Sort Column(s)
revocation_candidates_pkey Primary key Asc id
revocation_candidates_certificate_der_key Must be unique Asc certificate_der
revocation_candidates_ocsp_uri_index Performance Asc ocsp_uri

Relationships

Close relationships within degrees of separation