The Research And Design On Cross-Certification Based On Path Searching Using Weighted Trust List

This paper analyzes the trust model, path construction and path validation of cross-certification techniques, and proposes a cross-certification design under the hybrid model that using the hierarchical construction in the same trust domain and the mesh construction between different trust domains. By presenting default certificate chain and using weighted trust list, the design has solved the problem of traditional direct cross-certification, and also realized cross-certification by automatic certificate path construction, which increases the efficiency compared with traditional ways. Based on this research, a protoype for CA cross-certification has been designed and implemented, and its test results and analysis have been presented. Due to not ease in popularizing cross-certification currently and few applications supporting cross-certification, additionally, the paper has given out an IPSec VPN API design that supports cross-certification under PKIX. This paper's research and implementaion include the following aspects:Merits and defects analysis, research and scheme selection to existing trust model.Generation, parse and verification of cross certificate. The cross certificate generation module of designed prototype provides two types of cross-certification: negotiation based direct cross certification and automatic cross-cetification through path searching.Cross-certificates publishing, accessing and directory service. The paper designs LDAP interface of prototype for publishing, LDAP directory tree structure for storing and procedure of certificates publishing.Path construction and path validation for cross-certification. Path construction algorithm generates certificate chain including cross certificates by presenting default certificate chain and searching weighted trust list. The paper also gives out detailed processing procedure of prototype.IPSec VPN API design supporting cross-certification. The paper designs the API by analyzing IKE negotiation mechanism and constructing local trust list.Prototype testing and IPSec VPN testing based on prototype PKIX.The research of this thesis has been sponsored by the Nature Science Foundation of Jiangsu Provnice (project number: BK2004039).