Research Of Trust Model And Certificate Path Building Method In PKI

Public Key Infrastructure (PKI) is the foundation and core of network security construction now, It also becomes the basic guarantee of electronic business. How should PKI system interconnect and interflow better, which in order to meet the need of operating each other among CAs and End Entities, this subject matter studied by the trust model of PKI. How to choose the suitable trust model is an essential step of PKI constructing and operation, and is also the basic decision when deploy PKI.This paper analyzes and compares several extant CA-based trust models, points out their advantages and disadvantages respectively, proposes a new model called A Bridge Trust Model Based on Construction Policy Processor (CPBTM), and discusses its path construction. In the CPBTM, analyzes the model design idea and detail work flow, shows the structure of the model and kernel construction policy processor (CPP). In the model, CPP is used to access the CA directory services, get the CA path information,construct and store the path .Then the complicated path construction problem turn into a question of path information inquire, which has lysised the efficiency bottle-neck problem caused by the CA Server accessing frequently when constructing the path. The independency of CPP not only ensure the highly independency among different trust field,but also provide a expansibility and agility, if a new PKI is added in to the model,CPP collects and liquidate the path information related, won't influence any extant field,extend the field's concept.Besides, certification path processing consists of two phases: path construction and path validation. There are particular descriptions about the path validation phase both in X.509 and RFC3280, but very little published information available to help implementers and product evaluators understand the complexities involved. No standardization has been issued for constructing certification paths which may make the process complex and subject to error, therefore any optimization will be significanted.When constructing the certificate Path, after the research on existing certificate path construction schemes' advantages and disadvantages, In the paper,a certificate path construct scheme based on Construction policy processeor has been proposed, which is used in CPBTM. In the Construction policy processor scheme, a filtration and precedence rule and an interrelated policy evaluating function have been presented by using the policy constraint in the certification verifition. The PCS used in CPBTM filtrates the invalidation and low trust-level candidate paths, which has enhanced the safety trust level of the certificates in the path, and realize the optimization of traditional bridge trust model in PKI. This has been proved by analyzing the data of the experiment.