| Now, Public Key Infrastructure (PKI) technology based on public-key cryptography is considered to be the most feasible and effective method to solve information security problems in large and open networking environment. With design and development of an enterprise PKI system, directory service and online certificate status validation system, two core component of PKI system, are discussed in this paper both theoretically and practically.Directory Services have recently proliferated with the growth of the Internet, and are being used in a wide variety of network-based applications. Standards of Directory Service, X.500 and Lightweight Directory Access Protocol(LDAP), are introduced in this thesis, and LDAP Directory is analyzed in details by all kinds of model, such as protocol model, information model, naming model, distribution model, function model, and security model. Sequentially a general design procedure of Directory Service and a secure, efficient directory service for PKI are conducted in this thesis. And then the principle of processing local langue information in LDAP directory service applications is analyzed.Online Certif cate Status Protocol(OCSP) allows a client to query a responder for the status of one or more certificates and get up-to-date information on their validity. PKI implementations can use OCSP instead of, or as a complement to, Certificate Revocation Lists to overcome latency, scalability or manageability problems inherent in solutions based on CRLs. A secure, efficient and scalable online certificate status validation system based on OCSP and its extension(OCSP-X) is developed in this thesis. And this system can accommodate Online Revocation Service (ORS), Delegated Path Validation (DPV) service and Delegated Path Discovery (DPD) service. At last several factors in improving efficiency and scalability of this system are analyzed, and some security considerations are presented. |
PDF Full Text Request