短期憑證 -- 一種新型態的金鑰認證中心

Abstract

本篇論文提出一種針對金鑰認證中心(簡稱 CA)的新形態的操作與設定規劃。這種架構能夠降少使用者的等待時間並降低認證中心伺服器和網路的流量或工作負擔，同時確保擁有同樣的安全性。所提出架構遵循 X.509 中所定義的標準，因此所發出的憑證將可以被其他的認證中心確認並接受。 為了達成這些目標，我們把憑證的有效期限設定得很短，而且在『extension field』裡存放一些相關的資料。而因為這較短的有效時限，使用者必須常常重新申請新的憑證，為了降低使用者的不便，認證中心核發新憑證的時間必須很短，且不會為了提高處理速度而導致資料外流，或是用其他的架構來降低重發憑證所帶來的影響。 考量到相容度的問題，這篇論文完全遵守X.509中所規定的操作及管理的規定。更進一步的說，這個操作設定可以被當作標準操作的衍生。雖然所提出的架構還是在實驗中的階段，不過，可以預見在不久的將來，將會被當成是標準的操作方法的一種。

This thesis proposes a new operation method of Certification Authority (CA), which can reduce the users’ waiting time and lower the loads of CA servers and network when users use the certifications to identify themselves without losing the security. This method should follow the standards defined in X.509, so the certifications issued by our CA can be verified and accepted by other CAs. In order to achieve these goals, the validity periods of the certifications are limited and the extension fields of certification are used to present some date-related data. Because of the relatively short validity period, the users have to re-get the certifications every time when the certifications are expired. In order to reduce the burden of user, the time for CA to issue new certification must be short enough without leaking any information to eavesdroppers. In consideration of the compatibility problem, this thesis totally abides the rules about CA operation protocols and CA management protocols defined in X.509. Moreover, the design of the operation method can be regarded as an extension of standard operation protocols. The proposition in this thesis is in experimental status currently. However, it is expected to use this proposition to be the standard track in the near future.