| Public Key Infrastructure based on the asymmetric encryption technique, can ensure the network information security. Certificate has become the managing tool of PKI; Entity must validate certificate's status before communication. Validate the validity of the current state of the certificate.As a special kind of data services, application of directory service provides a distributed storage methods and manner of publication for the Internet data resources. LDAP directory service is analyzed in this paper, a detailed analysis of the LDAP directory protocol information model, distributed model, functional model and security model; and this paper introduced LDAP directory service in the PKI application.Online Certificate Status Protocol (OCSP) allows customers get real-time certificate status information by simple query, at present, in most of the realization of PKI; OCSP has become an accessory of CRL, or even replace it.OCSP overcome latency of the CRL-based mechanism, scalability poor, difficult to manage. But, every response of OCSP must be signed, if there are too many qurrise coming in the same time, responder need to sign a large number of response massages, servers efficiency of OCSP is reduced greatly.Based on LDAP directory service mechanism, this paper presents a new OCSP model.In the new model, data of certificate revocation of OCSP responder is stored in the LDAP directory database, and the relationship of certificate authentication between entries is recorded at the same time. The responder gather revocation information of authentication certificate for serving entries, and sign response massage in advance, it reduces some of the search scope of revocation database and time signatures when response massage constructed. The experimental results show that this model reduces the average response time, servers efficiency is improved greatly. |
PDF Full Text Request