摘要
证书撤销列表(CRL)是公开密钥基础设施中应用最为广泛的一种证书撤销机制。通过对基本CRL及分段CRL的分析,在分段CRL的基础上,提出了二次分段CRL。对于分段CRL中的尺寸越来越大以至于影响性能的分段,二次分段CRL根据不同于第一次的分段标准对其进行再次分段,改善了分段CRL中由于证书分类不平衡导致的性能下降问题,同时采用将各分段错开更新的方案,降低了CRL的峰值请求率。二次分段CRL由于通信量小,峰值请求率低,可扩展性好,适合于大规模的PKI系统。
CRL is a widespread-used certificate revocation mechanism in PKI. A Secondary Segmented CR, L was put forward based on the analysis of the traditional CRL and the Segmented CRL. Those segments which became bigger and bigger and therefore affecting the performance of the Segmented CRL was segmented the second time based on different standards. The Secondary Segmented CRL improves the decreasing performance of the Segmented CRL due to the unbalanced certificate classification. Furthermore, the peak request rate is reduced by staggering the update time of the segments. The Secondary Segmented CRL can be used in large scale PKI system due to its light network traffic, low peak request rate and great scalability.
出处
《计算机安全》
2010年第4期15-17,共3页
Network & Computer Security