X.509数字证书在部署时一个重要的环节就是证书有效性验证机制.Certificate Authority (CA)与客户之间大规模的数据交互成了数字证书状态验证的一个主要瓶颈.本文基于XML数字签名技术提出了一个新颖的数字证书有效性自验证方案,该方案的主要思想是在证书中心颁发一个数字证书后,证书的拥有者添加证书状态并进行数字签名.这样一个改进后的数字证书包含了该证书的当前有效状态信息,不需要客户与CA通信进行状态的验证,使得数字证书有效性检验变得简单、高效.评估结果显示,提出的数字证书自验证方案比传统采用的证书作废列表和证书状态在线验证协议具有更高的实际使用效率,解决了数字证书实际使用时有效性验证的瓶颈问题.%One of important parts in X. 509 digital certificate deployment is validation checking. Providing certificate status is a potential bottleneck for certificate authority (CA) due to large data volume exchanging between CA and clients. The paper proposes a novel scheme for certificate revocation and validation by using XML signature technology. The certificate owner can add status information,e. g. revocation information to the X. 509 digital certificate and sign this information using XML signature. The improved X. 509 avoids revocation checking by querying CA,thus reducing data volume exchanging between CA and the clients. The analysis indicates that the proposed scheme is secure in practice. The evaluation results show that the self-validation scheme is more efficient than CRL and OCSP.
展开▼
