Even though Public Key Infrastructure (PKI) and X.509 certificate has been a prominent security model for a variety of e-commerce applications and large scale distributed computing, it has not been sufficiently investigated in the certificate revocation and verification mechanism. In this paper, we discuss the need and importance of certificate revocation and verification, and analyze the limitations of several certificate validation schemes that are widely used in PKI environments. Then we propose an alternative scheme. The underlying idea is that the certificate holder provides certificate validation proof (CVP) to the verifiers in manner of initiative. According to this scheme, The CVP is a proof issued by a trusted third party (TTP) for the certificate stating whether it was revoked or not. For both parties in any transaction, the certificate holder provides the CVP to the verifier, the verifier knows about the validity status of the certificate by verifying CVP efficiently without any extra information except the certificate. The CVP is created by multioperations with a HASH function and operations are associated with the current time. The suggested scheme is principally simple with characteristics of distributed processing, high security, low communication costs and good practicability.

• 出版日期2012