應用LDAP目錄服務於短期簽證認證中心

Abstract

本篇論文希望能用利用一種稱作輕型目錄服務（LDAP）的新技術，用來改良以及建立一個更多用途的金鑰認證中心（簡稱CA），並且希望能夠結合其他的技術來改良系統的安全性以及便利性。 LDAP是一種的開放式的目錄服務規格，而該規格是在目前最受歡迎的ＴＣＰ/ＩＰ上所執行的，也因為如此，LDAP具有相當好的性質，比如說提供快速的搜尋以及回應，而且樹狀性的資料結構也讓人能對整個目錄服務有整體性的概念，也因而可以減低維護的花費以及管理上的問題。 因為LDAP有上述的優點，我們就將之應用於金鑰認證中心的建置上，因為一般網路上溝通，金鑰認證中心提供了人們服務以及驗證對方身份的方法，然而一但需求的人眾多時，對認證中心來說是一種極大的負擔，於是我們應用LDAP的特性，利用來減低以及分散認證中心的負擔，並且希望能夠結合屬性憑證（attribute certificate）以及角色存取控制（role based access control）來增進系統的效能，以及對於使用者作有效的控制來增加整個系統的安全性。

Lightweight Directory Access Protocol (LDAP) service is a new technology applying to Internet. On larger systems using TCP/IP protocol, there's no single directory standard -- certainly not one that is routinely used on the scale of intranets. LDAP service has many great features, such as providing quick and advanced search, quick response and hierarchy view of data. It also can be applied to many ways. Certification Authority (CA) is a trusted system, and it should play an important role just like a notary between group users and helps users to establish a secure environment. If somebody wants to trade or communicate with others, he needs the certificate that the Certification Authority issues to help him to get the trust from others. When a number of people need this service, the load of CA may be huge. Using distributed CAs sounds like a good idea, but it costs a lot. So we designed a session CA, with a DB to share its load, which doesn’t need to maintain the Certificate Revoke List (CRL) because the lifetime of the session certificate is too short. From these great features of LDAP service, we hope we can apply it to design a new Certification Authority system. By using LDAP service, we can reduce the traffic between CA and user. We hope that by using this new technology can reduce the maintenance of administration and improve the efficiency of our new Certification Authority. Furthermore, combining with Role based access control and attribute certificate, we can improve the security of our system.