公開金鑰基礎建設之憑證管理機制研究

The Certificate Management of Public Key Infrastructure

10.29767/ECS.200412.0006

廖鴻圖(Horng-Twu Liaw)；荘文勝(Wen-Shenq Juang)；吴威震(Wei-Chen Wu)；陳冠颖(Kuan-Ying Chen)

公開金鑰基礎建設 ； 憑證廢止清單 ； 憑證中心 ； Public Key Infrastructure ； Cetificate Revocation List ； Certification Authority

Electronic Commerce Studies

2卷4期（2004 / 12 / 31）

449 - 460

繁體中文

隨著網際網路的蓬勃發展與普及，各式各樣的應用也隨之大量推出，不論是商業、服務、教育...等各領域均有不錯的發展。因此，也造就了電子商務(E-commerce)的熱潮，但新的問題和挑戰也隨之產生，如：安全性、不可否認性及私密性等。解決這些問題的方法中，公開金鑰基礎建設(public Key Infrastructure, PKI)是其中常被考慮的方式，而憑證的概念更是PKI的核心。本文提出一種新的PKI實際運作架構，以安全的電子郵件伺服器(Secure Mail Server, SMS)線上(On-line)運作架構，解決憑證廢止清單(Certificate Revocation List, CRL)發行時間空窗期所可能產生的種種安全問題。此外，本文所提機制亦強化憑證使用的安全性，使憑證能更廣泛的應用在各種電子商務中。

Because of the growth and the popularization of the Internet, various kinds of applications are available and developed quite rapidly in many areas, such as commerce, education, and entertainment...etc. In the area of commerce, people call the application on the Internet “E-Commerce”. The E-commerce is a very hot headline, but some issue and challenge come along at the same time, for example, Integrity, Authentication, Confidentiality, and Non-repudiation. There are many ways to solve them, the most famous one of them is PKI (Public Key Infrastructure). The concept of Certificate is the most important part of PKI, but it gets some defects in CRL (Certificate Revocation List). This article proposes a new method that could improve the processes of CRL. At the same time, this article proposes a scheme, SMS On-line Structure, that could solve some secure problems of CRL issuing time gap, and increase the application of certificates. Finally, we propose an E-Commerce scheme base on PKI which can achieve the goal of personal service and authorization easily.

1. Ford, W.,Housley, R.,Polk, W.,Solo, D.(2002).Internet X.509 Public Key Infrastructure Certificate and CRL Profile.Request for Comment 3280
2. Fung, W.(2001).Obstacles in Deploying Certificate-base Applications.Proceedings of IWAP200
3. Hallam-Baker, P.(1999).OCSP Extensions. Internet Draft draft-ietf-pkix-ocspx-00.txt.
4. ITU-T Recommendation X.(1997).Information Technology-Open systems interconnection.The Directory: Authentication Framework.
5. Li, N.,Feigenbaum, J.(2002).Nonmonotonicity, User Interface, and Risk Assessment in Certificate Revocation.LNCS 2339.
6. Mcdaniel, P.,Rubin, A.(2001).A Response to Can We Eliminate Certificate Revocation Lists.LNCS.
7. Micali, S.(1996).Technical Report Technical Memo MIT/LCS/TM-524b, Massachusetts Institute of TechnologyTechnical Report Technical Memo MIT/LCS/TM-524b, Massachusetts Institute of Technology,未出版
8. Myers, M.,Rafael Hirschfeld, (editor)(1998).Revocation: Options and Challenges.Financial Cryptography FC` 98,1465,165-171.
9. Neuman, B. C.,Kerberos, T. Ts`o.(1994).An Authentication Service for Computer Networks.IEEE Communication,32(9),33-38.
10. Noar, M.,Nassim, K.(1998).Certificate Revocation and Certificate Update.In Proceedings of the 7th USENIX Security Symposium,January,217-228.
11. Stallings, W.(1999).Cryptography and Network Security.Prentice Hall.
12. 陳坤元、賴溪松、李百勝、傅君茹、謝朋岳(2002)。合法網站認證系統之探討。資訊安全通訊，8(4)，37-45。
13. 廖鴻圖、莊文勝、陳冠穎(2002)。一種新的憑證廢止清單概念與應用。第八屆資訊管理研究暨實務研討會