| PKI is a infrastructure providing information security services based on the Public-Key theory and technology. The Public-Key system is one of the most prevalent Encryption at present. Based on the uniform security certification criterion, It is the set of CA certification, digital certificate, digital signature and correlative security application component module. PKI solves many secure problem, such as web identity certification, information integrality, confidentiality and non-reputation. It provides reliable security ensurance for web application. Moreover, PKI is relate to electronic government affair, electronic business and the whole developmental stratagems of country informationalization. Its nuclear problem is to solve the trust problem. PKI is a macroscopical system of technology, application, organization, criterion and statute, which embodies the powerful country strength. With the development of internet, all kinds of trades need the technology and blue print of PKI whose marketable foreground is very large. The construction of CAs in our country is rapidly growing. It is said that there are tens of mostly territorial and trade CAs all over the country. Especially, mostly taking the local government for background, the company mechanism for work, the territorial CAs are expanding. As the third fiduciary party, CAs take charge of issuing digital certificate to every entities for proving the facticity of their identities, checking and managing certificates. The users of digital certificates have their own public/private key pairs. The construction of CAs not only solves the problem of domestic information security, but also quickly improves the scientific and technical level of information security products, establishs and leads to the development of information security industry. It can make application convenient to empolder the universal interface linked with CAs. Besides, It is of very important value for settling areal information security to produce the cross-certification application interface across regions and the constraints of CAs. The current PKI system have included many criterions and protocols. The primary ones are X.209 ASN.1, X.500, X.509, PKCS, OCSP and LDAP. The other ones are SET and SSL. According to the study of the PKI theory and the analysis of existing technology, The article has considered the difficulties in the connection of different PKIs and the certification path building and validatation, combined the actual advantages of BCA, brought forward a realistic method of building the certification path through different trust fields across the BCAs--The Optimizal Path Building Algorithm with The Policy Constraints. Finding and validating the certification path is the core of the system. After entering the trust root and the information of goal certificate, It will make use of the known and required setting factors to build and validate the path. The path building system must find all paths as efficient as possible. In view of the directory attributes, trust models, the number of trust roots, the forward way is better. The system chooses LDAPv3 directory to access certificates and simulates the necessary functions by requirement for conveniently supporting the path building and validating. In order to avoid the unnecessary complexity and errors, the system rejects the Dead-ends by tracing and the repetition of certificates and subjects. The certificate policies are a group of named rules which indicate common security requirements and a species of program applicability. They define the obligations and rights among certificate users, CAs and End-entities. A certificate may be issued with one or more policies. X.509v3 requests the extensions appearing alone. The pivotal ones are basicConstrains and certificatePolicy. Above all, they are the primary factors of assigning the value of rights when the system builds paths. So as to be easy to express and store, the article puts forward a kind of special decision-making tree and valid policy tree in addition to the certificate buffer. The core of algorithm is to measure a best path by endowing the weight value. There are 22 items including basic constrains, policy constrains and others. During the head process, build the certification path from the... |
