4 .

4.1 4.2 4.3 4.4 PKI(Public Key Infrastructure)4.5 X.509 4.6 4.7 PKI 4.9 4.10 4.11 PKI

(Public Key Infrastructure) , OID(Object Idnetifier), X.500 DN(Distinguished Name)(CPS : Certification Practice Statement), LDAP(Lightweight Directory Access Protocol), FTP(File Transfer Protocol), OCSP(Online Certificate Status Protocol)

4.1 , WWW, security application , CA(Certification Authority) end entity CA private key digital signature CA public key

AInternet A

() ID digital stream , , , (CA : Certificate Authority) CA (RA : Registration Authority) : X.509 1, 2, 3

(Version) : , 1988(Serial Number) : CA (Algorithm Identifier) : OID(Issuer) : CA(Period of validity) : (Subject) : (Public-key information) : (Signature) : CA

(PKI : Public Key Infrastructure) (Certificate), (Certification Authority), (RA : Registration Authority) End entity, CA , 1996

CA off-line users User CA CA CA root CA CA end user chain (Trusted Path) : CA CRL(Certificate Revocation List)

SET hierarchical CA structure

(subject field) X.500 directory DN(Distinguished Name) X.500 directory X.500 directory entry , , , , e-mail address, DN DN X.500 directory DIT(Directory Information Tree) Root node node RDN(Relative Distingusihed Name)

X.500 directory entry (Continued)Root node RDN ISO , , , entry entry unique RDN End organization entry Unique RDN

X.500 DNRootIBM CN : K.D.Hong : 0418-542-8819 : kdhong@sec.sch.ac.kr : DN : {C=KR, O=SCH, CN=K.D.Hong }RDN = KRRDN = K.D.HongRDN = SCH

4.2 CA , CA CA (Cross-certification) PKI CA

CA YCA XCA ZAlice AliceBob Bob

CA PAA(Policy Approving Authority) PCA PCA(Policy Certification Authority) CA(Certification Authority) CA ID (Identity Authentication) (Credential Authentication)

(extention) , , , , X.509 3 1, 2 CA , 3

4.3 PKI : root CA root CA PKI 2 CA 2 CA CA 3 CA 3 CA CA CA

-CA2- CA 3 -CA

CA .

4.4 PKI PAA PKI , CA PCA , PAA ( ) PCA CRL PKAF ; PARRA GOC PKI ; PMA ICE TEL PKI ; ICE-TEL CA

PCAPAA (COI, Community of Interest) ? ? ? CRL ?

CAPAA/PCA CA PCA PCA CA PCA .

ORA(Organizational Registration Authority) CA CA GOC PKI LRA(Local Registration Authority) CA CA CA

4.5 X.509 X.509 ITU X.509 v1, v2 (CRL:Certificate Revocation List) X.509 v3

X.509 v11988 CA

X.509 v1 DTI(Directory Information Tree) CA CA CA

X.509 v2X.509 v1 ID(issuer unique identifier) CA X.500 ID(subject unique identifier) X.500

X.509 v3 X.509 (standard extension) , (subject) , , CRL , 3 , ,

X.509 v3

CA (Authority Key Identifier) CA (Key Attribute) (Certificate Policy) PKI (Key Usage Restriction) (Policy Mapping) CA

(Subject Alternative Name) ID, e-mail / IP , DNS (Issuer Alternative Name) , ID, E-mail / IP , DNS (Subject Directory Attribute) X.500

, , , (Basic Constraints) CA, (Name Constraints) CA . (Policy Constraints)PKI

CRL CRL CRL(delta-CRL) , CRL CRL (Distribution Points)CA : , CRL CRL(Delta-CRLs)CRL CRL CRL(Indirect CRLs) CA CRL . CRL

4.6 X.509 CRL : CRL ID : CA X.509 : (UTC Time) : (UTC Time) : CRL : CRL :

CRL : + CA : CRL : CRL (e-mail, IP )CRL : CRL : CRL CRL : CRL CRL : : : : CRL

CRL CRL CRL CRL , CA

4.7 PKI IETF , , PKI PKI CA , CA PKI (CA), (RA), (EE), (Repository) PKI , ,

(EE : End Entity) PKI (CA) CA CA : CA CA RA(Registration Authority)CA , , , , , RA , CA RA CA .

PKI -IETF , RA, CA , RA, CA E-mail, HTTP, TCP/IP, FTP CA CA CA RA , .

(1) / , , , , RA CA . PKI(RA, CA) . : , RA, CA

(1) / 3 / EE -

CADirectoryService5. 4. 6. LADP 2. Alice 1. Alice 3. Alice / Alice

AliceCADirectoryService6. LADP 1. Alice / Alice 2. Alice 4. Alice

(2) (POP, Proof of Possession)CA/RA . . , CA/RA CA/RA .

(3) CA CA CA . CA CA CA CA .

(4) . CA CA .CA CRL CRL CRL .

() CA CA CA , CA CA

() CRL CA CRL PKI CRL CA CRL CA CRL CRL , CRL DB CRL .

() . CA PKI .

4.9 CA RA CA self-certificate fingerprint CA CA CA

CA CA . CA .CRL CA CRL .PKI CA , . CA . :

CA : CA PKI CA CA CA

. CA CA .

4.10 --CPS :Certification Practice Statements , CA , , CA CPS CA

, CA, RA, EE , ,

, , ,

CA, RA, EE , , , CA : FIPS PUB 140-1 level 2 CA :CA 3 , 128 DES , CA :CA CA CA : 3

CA , , , , , , , , ,

CRL CRL OID(Object Identifier)CA, RA, EE CRL CRL , , , ,

4.11 PKI CRL LDAP(Lightweight Directory Access Protocol)FTP(File Transfer Protocol) OCSP(Online Certificate Status Protocol)PKI CA LDAP FTP CRL

LDAP(Lightweight Directory Access Protocol)PKI CRL PKI , LDAP LDAP , , (Repository Read)EE CA PKI (Repository Search) PKI

(Repository Modify) PKI , , .

FTP(File Transfer Protocol) CA CRL CRL FTP CRL CRL CRL FTP anonymous FTP FTP .cer : .crl : CRL