補遺 C - 公開鍵証明書のステータスを検証する English
(準備中)
We now present three examples of how to produce a data validation 証明書 that can be used to assert that a 公開鍵証明書 is valid, trusted, and can be used for a particular purpose.
クライアントは、
wants to use a given 公開鍵証明書 either to use it to verify a signature on a document or to use it for document 暗号化。DVCS は、
MUST have access to current information regarding public 証明書 status,
it can therefore be used to verify the revocation status of a 証明書 at the current time.次のテクニックを使うことができる。:
A) 公開鍵証明書が検証される必要がある。 証明書は、
is presented to the Data Certification Server using a 'vpkc' サービス。DVCS は、
verifies that the 公開鍵証明書 is valid and that it hasn't been revoked and then returns a データ検証証明書。
B) データ検証証明書が検証されなければならない(MUST)。 The signature of the Data Certification Server in the data certification token SHALL be verified using the Data Validation and Certification Server's valid 証明書.
C) 公開鍵証明書が使われる。:
C.1) クライアント自身の公開鍵証明書(すなわち、対応する私有鍵)は、
can be used to add a signature to a document.
The signing 証明書 and the data validation 証明書 can be added as signed attributes to the signature.データ検証証明書は、
can now be used during the validation signatures using the key contained in the 公開鍵証明書。
This service provided by the DVCS can be thought of as a supplement to the usual method of checking revocation status.In other words, signature validation at a later time does not necessarily require access to the revocation status of the user's signing 証明書, access to a DVCS service and validation of the DVC is sufficient to verify a signature.
Note that the DVC does not tell when the signature had been created, it only indicates when the signing 証明書 was valid.
C.2) A 公開鍵証明書 for key exchange can be used after having obtained a data validation certification 証明書 to encrypt data.
The DVC can be stored with the data and/or stored by the creator of the encrypted document.If an intended recipient of the document claims that the creator did not use an appropriate encryption key, the DVC (obtained by a recipient's DVCS) can be used as evidence that the recipient's DVCS has authorized the usage of the 公開鍵。
C.3) The procedure described in the previous paragraph can be enhanced to provide domain encryption in several ways.
Organizations require that encrypted documents need to be recoverable.
One simple way is to always encrypt documents with additional recipients that act as 'domain encryption centers' or 'recovery centers'.
This is not a technically difficult problem, but may require complicated and difficult interactions with the end user, in particular when the document's recipients are in several different organizations.One possible solution consists of adding additional 証明書s to the dvc that validates the usage of a particular 公開鍵証明書 used for encryption. In an environment of several organizations, one of the possible procedures may be:
クライアントは、
asks its local dvcs to validate the 公開鍵証明書。
The dvcs forwards the request to a dvcs of a remote organization.
The remotes organization's dvcs verifies the 証明書 and provides a dvc assertion validating the 証明書。
It adds additional 証明書s usable for key exchange to the certEtcChain structure indicating additional required recipients.
The local dvc creates a dvc containing the dvc of the remote dvcs.
It may add additional 証明書s or references to the dvc.
The clients use all validated 証明書s to be usable for key exchange to enhance its list of recipients.In the local dvcs may as well use local information about the remote organization's need for additional recipients.