| In distributed PKI environment, work of the certificate path construction and certificate path validation is carried out by client in traditional pattern of certification validation. There exits many weak points. Firstly this will reduce the efficiency of PKI program. Secondly this will deduce the transparency to the client also. Thirdly the efficiency of validation will be very low. Finally the status of certificate is complete depended on CRL. The workload of client of traditional certificate cross-validation becomes very heavy, which is not beneficial to deploy PKI in a variety of applications and environment.This paper proposes a scheme of certification Validation delegate Server System (CVDSS) for certification path construction and certificate validation.The main feature of the CVDSS is that the complex work of the certificate path construction and certificate path validation is carried out by CVDSS. The client can get a related result through sending a validation request package. The main purpose of CVDSS is to reduce the workload of client in certificate path construction and certificate path validation, deduce the related network flow and improve the efficiency of certificate validation.This paper discusses the basic structure of PKI and trust models, the concept of distributed trust model.On the base of delegate path discovery and delegate certificate validation, the paper introduces specially the scheme and workflow of CVDSS.The CVDSS takes the SCVP protocol draft in RFC5055 as interaction norms between the client and the server. This paper discusses specially the format of SCVP, encapsulation of the SCVP and the realization of the SCVP and its implementation by OpenSSL.In this paper, the CVDSS uses the dynamic path construction(DPC) algorithm to resolve the problem of certificate path construction and cross-validation in distributed PKI environment. This paper discusses specially the algorithm, its workflow. This paper analyzes the efficiency of the algorithm. |
PDF Full Text Request