| As a universal platform for information security infrastructure, PKI has been are widely used in various fields in e-commerce, e-government, etc. after more than ten years of development. However, there are still some problems plaguing the development of PKI technically of which Certificate Revocation is a difficult issue, but also a vital tache for the application of PKI.This article revolves around the design of a practical and efficient mechanism for certificate revocation start with an analysis of advantages and disadvantages of the existing several certificate major revocation mechanism. A revocation mechanism base on active status certificate (ASC )is advanced which gives attention of the advantages of both CRL and OCSP. In the mechanism the ASC to prove certificate state is published on a regular basis by the CA certificate ,but maintained by the user self. validator validating the state of certificate, the certificate holder actively sent ASC to validator. In the communication overhead and calculating cost and availability the mechanism has been improved and so is more applicable to a variety of application environments. Then in the CA to take full account of the load and under the premise of safety, a prototype system, online ASC Center, is designed which carry out revocation mechanism base on active status certificate. Then this paper discusses several key issues in detail such as how to access ASC Center, ASC-signed certificate management and the management of ASC. Finally, open source software EJBCA as a certificate system, this paper implements prototype system.The revocation mechanism Based on the active state certificate is innovative in this article, which provides a new solution for solving Certificate Revocation in large-scale application of PKI and enhances the adaptability of PKI to promote a certain significance. On the one hand, the mechanism provides a smaller amount of revocation information downloaded, more suitable to provide services to end-users of limited bandwidth resources and capacity; On the other hand, the mechanisms in which the certificate holder active send ASC to a certificate validator predigests the process of validating certificate status. |
PDF Full Text Request