添加的内容 删除的内容
无编辑摘要 |
小 (机器人:将英文日期转换为ISO格式) |
||
第7行: | 第7行: | ||
| year_started = 1988 |
| year_started = 1988 |
||
| version = 10/19 |
| version = 10/19 |
||
| version_date = |
| version_date = 2019-10 |
||
| preview = |
| preview = |
||
| preview_date = |
| preview_date = |
||
第128行: | 第128行: | ||
{{cite book |
{{cite book |
||
|title=Understanding Certification Path Construction |
|title=Understanding Certification Path Construction |
||
|date= |
|date=2002-09 |
||
|publisher=PKI Forum |
|publisher=PKI Forum |
||
|last=Lloyd |
|last=Lloyd |
||
第147行: | 第147行: | ||
{{cite book |
{{cite book |
||
|title=Qualified Subordination Deployment Scenarios |
|title=Qualified Subordination Deployment Scenarios |
||
|date= |
|date=2009-08 |
||
|publisher=Microsoft |
|publisher=Microsoft |
||
|section=Cross-Certification Between Root CAs |
|section=Cross-Certification Between Root CAs |
||
第172行: | 第172行: | ||
</ref><ref>{{cite book |
</ref><ref>{{cite book |
||
|title=Understanding Certification Path Construction |
|title=Understanding Certification Path Construction |
||
|date= |
|date=2002-09 |
||
|publisher=PKI Forum |
|publisher=PKI Forum |
||
|url=http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf |
|url=http://www.oasis-pki.org/pdfs/Understanding_Path_construction-DS2.pdf |
||
第203行: | 第203行: | ||
|title=Everything you Never Wanted to Know about PKI but were Forced to Find Out |
|title=Everything you Never Wanted to Know about PKI but were Forced to Find Out |
||
|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf |
|url=http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf |
||
|accessdate= |
|accessdate=2011-11-14 |
||
| |
| |
||
| |
| |
||
第211行: | 第211行: | ||
=== 架构的弱点 === |
=== 架构的弱点 === |
||
* 采用黑名单方式的证书吊销列表([[证书吊销列表|CRL]])和在线证书状态协议([[OCSP]]) |
* 采用黑名单方式的证书吊销列表([[证书吊销列表|CRL]])和在线证书状态协议([[OCSP]]) |
||
** 如果客户端仅信任在CRL可用的时候信任证书,那就失去离线信任的需求。因此通常客户端会在CRL不可用的情况下信任证书,因而给了那些可以控制信道的攻击者可乘之机。如谷歌的Adam Langley所说,对CRL的检查就像在关键时刻断开的安全带<ref>{{cite web|last1=Langley|first1=Adam|title=Revocation checking and Chrome's CRL (05 Feb 2012)|url=https://www.imperialviolet.org/2012/02/05/crlsets.html|website=Imperial Violet|accessdate= |
** 如果客户端仅信任在CRL可用的时候信任证书,那就失去离线信任的需求。因此通常客户端会在CRL不可用的情况下信任证书,因而给了那些可以控制信道的攻击者可乘之机。如谷歌的Adam Langley所说,对CRL的检查就像在关键时刻断开的安全带<ref>{{cite web|last1=Langley|first1=Adam|title=Revocation checking and Chrome's CRL (05 Feb 2012)|url=https://www.imperialviolet.org/2012/02/05/crlsets.html|website=Imperial Violet|accessdate=2017-02-02|||}}</ref> |
||
* 在大范围及复杂的分布模式下选用CRL并不明智 |
* 在大范围及复杂的分布模式下选用CRL并不明智 |
||
* OCSP由于没有吊销状态的历史记录也会出现歧义 |
* OCSP由于没有吊销状态的历史记录也会出现歧义 |