The Research And Design Of The Proxy For Certificate Validation Based On Distributed Cross-Certification

After analyzing the problems in present traditional certificate validation under distributed PKI circumstances, this paper proposes a scheme of using the proxy for certificate validation. This proxy can liberate the client from the complicated certificate-validation work by executing the work of certificate path construction and certificate path validation. So it can leads to a real"thin"client. The research of this paper promotes the PKI application on portable devices, and resolves the problems of how to construct certificate path between different trust domains and how to validate the certificate path in the PKI hybrid trust model based on distributed cross-certification. Besides, the paper standardizes the interaction by SCVP protocol between client and server. This paper's specific research and implementation include the following aspects:Study the theory of PKI in depth. And after analyzing and researching the present PKI models, select a kind of PKI trust model with the most significance and worthiness to realize. This kind of model uses the hierarchical construction in the same trust domain and the mesh construction between different trust domains.Analyze the present mode of certificate validation, and propose the scheme of constructing the proxy for certificate validation to solve the problem of the"fat"client shortcoming. Realize the proxy based on the OpenSSL.Research the SCVP protocol, and make this protocol the interaction standard between the client and server.Propose an algorithm to construct the certificate paths to the PKI trust model selected by this paper. In the trust domain, construct the paths forward, and construct the paths reverse between the trust domains based on the algorithm of searching depth first.Research RFC3280, and realize the algorithm of certificate path validation.Optimize the algorithm of path construction, and complete some work of path validation during the process of path construction, so that the paths constructed can be more possible to be valid and the proxy can be more efficient.Give a test case by the PKI model this paper selects. Store the certificates and CRLS in the LDAP directory server, and give the results of the proxy in some typical circumstance. The results indicate that the proxy this paper realized can achieve its initial design goal in function.