| As a platform fundamental of pervasive information security, PKI has developed quickly and been used widely in various fields in these years such as EC, EP and security service. Certificate Authority and Registration Authority are the core of PKI. Certificate revocation mechanism, which is used to deal with certificate status in PKI, is a nodus and important tache of PKI.Based on the studying of the theory, technology and standard of PKI, we present the application of CA/RA (Certificate Authority/Registration Authority ) management system. This system adopts trusted model basing first class root CA and first class RA. The paper layouts the system module, function module and system can be used in security system such as email , web . The system is used in two units and reaches the designed aim of function and efficiency.Thorough research and analysis to revocation mechanisms ,for four kinds of revocation mechanisms CRL, CRL Distribution Points, OCSP, AD-MHT etc from Timeliness, Scalability, Security, Standards compliance, Scheme complexity, the contrast and analysis of revocation mechanisms have made. Some principles are pointed out, which could be consulted when choosing certificate revocation mechanism in practical application. At the same time, basing the study of CRL described in RFC3280 and OCSP described in RFC2560, we design and realize CRL, Delta CRL, OCSP client/server system. We thin the back end structure of OCSP responder to enhance the validity and timeliness of the OCSP responder, adopt the strategy which signs ahead of time instead of the real-time digital signature for status repond of every revoked certificate to enhance the efficiency of OCSP responder. we present AD-MHT status checking protocol based on AD-MHT and ASN.l ,it is valuable to design the application of AD-MHT.At the same time, the paper pointes out related work to be finished in the future. |
PDF Full Text Request