Create time: 2004-11-28 Article properties: Translation article Submitted: CAT ---- ITAQ (liumiao1983cn_at_yahoo.com.cn) Simple Certificate Validation Protocol (SCVP) 2004 Octoberhttp: //www.infosecurity. Org.cn/content/standard/pki-draft/draft-ieetf-pkix-scvp-16.txt translation: cat ---- itaqhttp://www.itaq.org1 Introduction Certificate Certification is very complicated, the certificate handles wide Developing a lot of applications and environments, there are many publications in applications, but these applications must have their own overhead for certification path constructing and confirmation. SCVP will reduce the expenses of resources when applying a public key certificate. Applications with a public key certificate are roughly divided into two categories. The first type of application wants to determine two aspects, first, they must determine the certificate belonging to the user ID, second, they want to know this public use Can you achieve the goal you want. The client authorization to the constructive and confirmation of the certificate path of the server, such applications often use as authorization path confirmation (DPV). The second type of application can confirm the certificate path operation, but these applications do not have a reliable method to construct a certificate path to the trusted destination, and the client only authorizes the certificate path structure of the SCVP server.
Such applications are often referred to as DPD. Untrusted SCVP servers can provide client certification paths, and they also provide client undo information, such as CRLS and OCSP reply, clients need to be composed of SCVP server authentication certificates. These services do not include those who need to download the intermediate certificate, which is valuable to the client .. Trusted SCVP server can run the certificate path construction and confirm for the client. A client can use these services, this client always Trusting this SCVP server. Like this client, the client has its own certificate path constructor. There are two main reasons for a client to trust such a SCVP server: 1 This client does not want the certificate path authentication software to each time a certificate. To run once .2 This client is in a mechanism that wants to authenticate its PKI, these policies may specify the type of trusted terminal to be used and the policy type running during the authentication path confirmation ..1.3 Validation Policies (authentication policy When SCVP is authenticated a certificate, an approval policy, especially rules, and parameters will be used by SCVP servers. In the Simple Certification Protocol, a certification policy can agree to each other at the client and server. In the request, it is necessary to clearly The expression required parameters .. Policy definition is quite a long and complicated, some policies may set some parameters as setting a trust terminal. A request for the previous agreement policy is a mutually agreed OIK or URL values may become simple. This reference value shows a part or all set format .. This client can ignore these protocol parameters from a request. Only by any password is not previously protocol The parameters described in the policy. Because the authentication policy defines every parameter in these simplest forms. A SCVP request requires only an approved certificate, the approve policy and any runtime parameters This request SCVP server also publishes its default authentication policy settings, the default policy can be authenticated, if required, if required, the client can overwrite any default value. This default value can be used in the request, Processing Reference Reference A authentication policy except that the default does not contain all the parameters and the client already omitted value. A client can save some parameters to simplify request 1.4 Validation Algorithm after the default value is published by the server (Authentication Algorithm) The authentication algorithm is determined by the client and server, this algorithm defines the verification that will be run by the server to determine whether the certificate is not recognized, and each definition is defined in policy parameters, SCVP defines a basic Authentication algorithm .. Application Narrative Certification Algorithm In addition to those defined in this document It can also define a narrative requirement that is not covered by the basic authentication algorithm. This authentication algorithm document should be a development more further application -Specific's wizard, for example: a new application -Specific authentication algorithm may need a unique The name form is replaced by the extended certificate .. A certain authentication path is considered effective in a special authentication policy .. This is an effective authentication path (defined in [pkix-1]) and all authentication policy restrictions The certification path must be confirmed. The revoked test is an aspect of the authentication path confirmation. It has been defined in [PKIX-1], so the authentication policy must narrate the source of the cancellation, five possible: 1 All CRLs must be collected. 2 OCSP Reply, if you are in use, you must collect 3. CRLS and the Relevocation Lists (or Full Authority Revocation Lists) Are to Be Collected;
4 Any information that can be canceled must be collected .5 No Undo information must be collected 2 Protocol Overview SCVP with a simple request - reply model. That is, the SCVP client creates a request and then send a request to the SCVP server The SCVP server then creates a single reply and then sends to the client, which is typically considered to exceed HTTP, but it can also send Email or other protocols to transfer data signals .. Appendix A and Appendix B provide Details of SCVP with SCVP. SCVP contains two requests - reply. The first request - reply to handle certificate authentication, second request - reply to determine the authentication policy list and define a specific SCVP server support Format. The third paragraph defines the certificate authentication request session defines the corresponding certificate authentication reply. The fifth paragraph defines the regular policy request. The sixth paragraph defines the reply of the corresponding certification policy. 3 Validation request (authentication request An SCVP client request to the server must be a single cvRequest. When a CVRequest is loaded into a multi-purpose Internet mail extension (MIME), the application / cvrequest must be used. There are two forms of SCVP requests, symbols And unsigned, a symbolic request is often used to demonstrate the client to the server or provide a request for an anonymous client - reply to the integrity constraint. A server may need to be signed, one server may Discard all no symbolic requests. Alternatively, a server may choose to process unsigned requests. No symbolic requests are loaded by a CVRequest to a CMS. These structures are provided below. They have been defined in Asn.1, there are many detailed details Show, but below is an example clearly illustrated the SCVP utilizing cms.contentinfo {contentType ID-CT-SCVP-CERTVALREQUEST, - (1.2.840.113549.1.9.16.1.10) Content CVRequest} / Symbolic requests by a CVRequest Encapsulated in a signed data (SignedData) or the authenticated data (AuthenticatedData), they are in a confession, which provides its structure. They have been defined in Asn.1, a lot of detailed details Do not show However, the following is an example clearly illustrating the SCVP utilizing cms.//signedData eXample:
ContentInfo {contentType id-signedData, - (1.2.840.113549.1.7.2) content SignedData} SignedData {version CMSVersion, digestAlgorithms DigestAlgorithmIdentifiers, encapContentInfo EncapsulatedContentInfo, certificates [0] IMPLICIT CertificateSet Optional, crls [1] IMPLICIT CertificateRevocationLists Optional, signerInfos SET OF SignerInfo} - only one in SCVP SignerInfo {version CMSVersion, sid SignerIdentifier, digestAlgorithm DigestAlgorithmIdentifier, signedAttrs SignedAttributes, - Required signatureAlgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedAttrs UnsignedAttributes} - not used in SCVP EncapsulatedContentInfo {eContentType id-ct-scvp- CertvalRequest, - (1.2.840.113549.1.9.16.1.10) Econtent OcTet string} - Contains CVRequest AuthenticatedData Example:
ContentInfo {contentType id-ct-authData, - (1.2.840.113549.1.9.16.1.2) content AuthenticatedData} AuthenticatedData {version CMSVersion, originatorInfo OriginatorInfo, - Optional recipientInfos RecipientInfos, - Only SCVP server macAlgorithm MessageAuthenticationCodeAlgorithm, digestAlgorithm DigestAlgorithmIdentifier, - Optional encapContentInfo EncapsulatedContentInfo, authAttrs AuthAttributes, - Required mac MessageAuthenticationCode, unauthAttrs UnauthAttributes} - not used in SCVP EncapsulatedContentInfo {eContentType id-ct-scvp-certValRequest, - (1.2.840.113549.1.9.16.1.10) eContent OCTET String} - Contains CVRequest // All ACVP clients must provide requests and reply to signed data to sign, and a SCVP client should provide verified data to the signature request and reply. If the client is signed Then there must be a parent, and this public must follow the PKI standard to a user who is identified by a certificate. The certificate must be suitable for signing the SCVP request. That is, if the public key is used in the certificate, the undeniable bits of the data or transactions must stick. If the public key use in the certificate appears, it You must include this client to verify the OID, SCVP client OID, or some additional OIDs can be consented by the SCVP server. The client must put a clear certificate to its signed data and verified data request authentication .. Client should The authentication of the signature is in the request. However, the authentication may be omitted in order to reduce the request size .. The client's request may contain other certifications to help the SCVP server authentication signature, the signed data, verified data, and ContentInfo Grammar and semantics have been defined in [cms]. CVRequest's syntax and semantics are defined below, CVRequest contains client requests, CVRequest contains CVRequestversion and query items, and CVRequest may also include Requestorref, Requestnonce, and RequestExtensions Items. CvRequest The following syntax must be included ./cvRequest :: =
SEQUENCE {cvRequestVersion INTEGER, query Query, requestorRef [0] SEQUENCE SIZE (1..MAX) OF OCTET STRING OPTIONAL, requestNonce [1] OCTET STRING OPTIONAL, requestExtensions [2] Extensions OPTIONAL dhPublicKey [3] DHPublicKey OPTIONAL} CVRequest in which each One has the following describes: 3.1 CVRequestVersion CVRequestVersion defines the version of the SCVP CVRequest in the request, the user reply must use the same version. The value of the CVRequestversion, the current specification CVRequestversion value must be 1, after the specification is updated, this value It must be other values. If there is any syntax and semantic change. Query item describes one or more certificates are the purpose of the request. Certificate can be a public key certificate [pkix-1] can also be AC [pkix-ac], a query must contain a sequence or a plurality queriedCerts and a Check, a wantBank, a validationPolicy item, a query term may also contain responseRefHash, responseValidationPolByRef, signResponse, serverContextInfo, validationTime, intermediateCerts, revInfos, producedAt, and queryExtensions item ...... ...... .query must contain the following syntax // query :: = sequence {queriedcerts sequence size (1..max) of ceerterence, Checks Certchecks, Freeman Housley, &
