| PKI utilizes the digital certificate to provide basic guarantee for the network security transaction. Certificate must be revoked before the expiration time because of the private key's exposure or the changes of the certificate owners'status, so it's necessary to build an inquiry mechanism to maintain the safe running of the system.Four main certificate revocation mechanisms (including CRL, on-line inquiry mechanism, CRS, and CRT) are introduced; then some advantages and disadvantages of every scheme are analyzed; at last, a referenced scheme of choosing certificate revocation mechanism is proposed according to the concrete PKI system.CRL is a widespread-used certificate revocation mechanism in present PKI system. Based on the CRL distributed point idea, a new CRL scheme based on segment is given. This scheme shortens the user's inquiry certificate corresponding time, decreases the average move times of other revoked certificates in CRL when revoking a expiration certificate(or inserting a just-revoked certificate).CRT is a kind of certificate revocation mechanism with brighter application prospect. The renewal between CA and repository is less and the cost of client side download is lower comparing to CRL. A certificate revocation scheme is put forward based on the balance binary tree sorting Hash tree at the end, this scheme reduces the average comparing times in certificate status'inquiry, lowers the communication cost of certificate status' validation comparing to the on-line inquiry system. The result of the experiment shows the scheme is efficient. |
PDF Full Text Request