一种新型在线证书状态响应方案

A New Online Certificate Status Response Scheme

证书撤销信息的发布成为了PKI系统大规模化的瓶颈,传统的证书撤销方案因为存在可扩展性差、实时性不强、交换数据量大等原因,不能适用于大型PKI系统中。针对以上问题,从理论上提出了一种新的证书撤销方案OLMiniCRL,新方案使用在线查询响应模式,采用MiniCRL压缩策略和NOVOMODO预签名方案,以精简的证书段的状态作为一个证书状态查询的响应。与传统的在线查询响应模式相比,新方案使用数字签名保障了数据的安全完整性,使用单向的Hash函数链保证了通信的实时性,大量减少数字签名的次数和数据处理量,降低服务器资源消耗,采用预签名方案能够提高用户查询的响应速度,具有较好的实时性、精简性和可扩展性,能够适用于对实效要求较高的大型PKI系统中。

The publishing of the certificate revocation information is the bottleneck problem for the development of the Public Key Infra-structure （ PKI） system. The conventional schemes of certificate revocation cannot apply to the large-scale PKI system due to its bad ex-pandability,low real-time performance,large switched data and so on. In view of the questions mentioned above,a new certificate revoca-tion scheme is proposed called OLMiniCRL. The new certificate revocation scheme used an on-line inquiry-response mode based on the MiniCRL compression strategies and the NOVOMODO pre-signature scheme with an efficient and simple message of certificate segment as a response to an inquiry. Compared with conventional on-line inquiry-response mode,the new certificate revocation scheme using the digital signature ensures the data security and integrity,applying the one way Hash function guarantees the real-time performance,which reduces drastically the number of digital signature so as to slow down the server resource consumption. Besides,the pre-signature scheme improves the speed of a response,has a good real-time performance,suitable expandability,which is applicable to the large-scale PKI system with a high demand of real-time performance.