-
Notifications
You must be signed in to change notification settings - Fork 4
/
771.txt
141 lines (102 loc) · 6.1 KB
/
771.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
* 仕様書
[REFS[
- [23] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280>
-- [24] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280#section-3.1>
]REFS]
* 概念
[FIG(short list)[
- [[CA]]
- [[ルート証明書]]
- [[CA証明書]]
-- [[相互認証証明書]]
-- [[自己発行証明書]]
-- [[自己署名証明書]]
- [[末端実体証明書]]
- [[CRL]]
- [[OCSP]]
- [[CRLSets]]
- [[OneCRL]]
]FIG]
* [CODE[Certificate]] メッセージ
[21] [[TLS Handshake Protocol]] の [DFN[[CODE[[[Certificate]]]]]]
[[メッセージ]]は[[証明書]]を表します。[[鯖]]から[[クライアント]]へは[[鯖証明書]]、
[[鯖]]から[[クライアント]]へは[[クライアント証明書]]となります。
* 歴史
[25] [[CCITT X.509]] の1988年版に最初の[[証明書]]の形式が規定されており、
これは v1 と呼ばれています [SRC[>>24]]。
[28] [[PEM]] (1993) は v1 を採用しています。この運用経験が v3 の開発にフィードバックされています。
[SRC[>>24]]
[26] [[X.509]] は1993年に改訂され、この[[証明書]]の形式が v2 と呼ばれています [SRC[>>24]]。
[27] [[X.509]] は更に1996年に改訂され、この[[証明書]]の形式が v3 と呼ばれています [SRC[>>24]]。
[29] [[RFC 3280]] は v3 の[[インターネット]]向け[[プロファイル]]です。
[[RFC 5280]] はその改訂版です。
* メモ
[1]
[CITE[無償で正統的なコードサイニング証明書を入手する方法]] <http://sqs.cmr.sfc.keio.ac.jp/tdiary/?date=20051003#p01>
([[名無しさん]] [WEAK[2005-10-04 00:42:50 +00:00]])
[2]
[CITE[高木浩光@自宅の日記 - PKIよくある勘違い(2)「安全に配布すればルート証明書を入れさせてよい」, PKIよくある勘違い(3)「プライベート認証局が妥当なら..]] <http://www.takagi-hiromitsu.jp/diary/20050205.html>
([[名無しさん]])
[3]
『無償で正統的なコードサイニング証明書を入手する方法:その2』 <http://sqs.cmr.sfc.keio.ac.jp/tdiary/?date=20051003#p02>
([[名無しさん]] [WEAK[2006-02-19 07:06:33 +00:00]])
[4]
[CITE@ja-JP[高木浩光@自宅の日記 - IE 7の普及でサーバ証明書失効によるトラブルが表面化する]] ([[高木浩光]] 著, [TIME[2007-04-16 13:20:15 +09:00]] 版) <http://takagi-hiromitsu.jp/diary/20070415.html#p01>
([[名無しさん]] [WEAK[2007-04-17 00:54:40 +00:00]])
[5] [CITE[Intent to Deprecate: SHA-1 certificates - Google グループ]]
( ([TIME[2014-08-30 03:05:20 +09:00]] 版))
<https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2-R4XziFc7A%5B1-25-false%5D>
[6] [CITE@en[RFC 3709 - Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates]]
( ([TIME[2014-09-21 15:55:02 +09:00]] 版))
<https://tools.ietf.org/html/rfc3709>
[7] [CITE@en[RFC 6170 - Internet X.509 Public Key Infrastructure -- Certificate Image]]
( ([TIME[2014-10-27 13:42:42 +09:00]] 版))
<https://tools.ietf.org/html/rfc6170>
[8] [CITE[Security Issue]]
([TIME[2015-03-03 23:44:00 +09:00]] 版)
<http://web.archive.org/web/19970521032145/http://form.netscape.com/newsref/std/ssl_2.0_certificate.html>
[9] [CITE[Netscape Certificate Specifications]]
([TIME[2015-03-03 23:44:23 +09:00]] 版)
<http://web.archive.org/web/19990218203921/http://home.netscape.com/eng/security/certs.html>
[10] [CITE[Netscape Certificate Download Specification]]
([TIME[2015-03-03 23:45:26 +09:00]] 版)
<http://web.archive.org/web/19990202032056/http://www.home.netscape.com/eng/security/downloadcert.html>
[11] [CITE[Netscape Certificate Download Specification]]
([TIME[2015-03-03 23:45:41 +09:00]] 版)
<http://web.archive.org/web/19990129050825/http://www.home.netscape.com/eng/security/comm4-cert-download.html>
[12] [CITE[Netscape Certificate Extensions Specification]]
([TIME[2015-03-03 23:46:09 +09:00]] 版)
<http://web.archive.org/web/19990129063212/http://www.home.netscape.com/eng/security/comm4-cert-exts.html>
[13] [CITE[Netscape Certificate Extensions Specification]]
([TIME[2015-03-03 23:46:31 +09:00]] 版)
<http://web.archive.org/web/19990218190724/http://home.netscape.com/eng/security/cert-exts.html>
[14] [CITE[Netscape Certificate Download Specification]]
([TIME[2015-03-03 23:46:44 +09:00]] 版)
<http://web.archive.org/web/19990202032056/http://www.home.netscape.com/eng/security/downloadcert.html>
[15] [CITE[Security Issue]]
([TIME[2015-03-03 23:47:02 +09:00]] 版)
<http://web.archive.org/web/19991008215709/http://home.netscape.com/eng/security/ssl_2.0_certificate.html>
[16] [CITE@en[RFC 6091 - Using OpenPGP Keys for Transport Layer Security (TLS) Authentication]]
([TIME[2014-12-30 23:21:42 +09:00]] 版)
<http://tools.ietf.org/html/rfc6091>
[17] [CITE[Transport Layer Security (TLS) Extensions]]
([TIME[2015-03-13 06:28:01 +09:00]] 版)
<http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3>
[18] [CITE[Transport Layer Security (TLS) Extensions]]
([TIME[2015-03-13 06:28:01 +09:00]] 版)
<http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#certificate-status>
[19] [CITE@en[ImperialViolet - Revocation checking and Chrome's CRL]]
([[Adam Langley]] 著, [TIME[2015-03-21 15:52:08 +09:00]] 版)
<https://www.imperialviolet.org/2012/02/05/crlsets.html>
[20] [CITE@en[CA:Certificate Download Specification - MozillaWiki]]
( ([TIME[2013-08-10 14:11:55 +09:00]] 版))
<https://wiki.mozilla.org/CA:Certificate_Download_Specification>
[FIG(quote)[
[FIGCAPTION[
[22] [CITE@en[Necko/Differences - MozillaWiki]]
([TIME[2015-03-21 17:34:27 +09:00]] 版)
<https://wiki.mozilla.org/Necko/Differences>
]FIGCAPTION]
>
> Other browsers have more robust certificate chain processing; ours gets confused in some common situations.
]FIG]