Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第3章資料
Search
sylph01
June 23, 2017
Technology
0
580
『プロフェッショナルSSL/TLS』読書会 第3章資料
https://ptls-study.connpass.com/event/59328/
sylph01
June 23, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
93
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
33
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
85
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
技術スタックだけじゃない、業務ドメイン知識のオンボーディングも同じくらいの量が必要な話
niftycorp
PRO
0
110
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.2k
Snowflakeの開発・運用コストをApache Icebergで効率化しよう!~機能と活用例のご紹介~
sagara
1
480
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
4
260
EDRの検知の仕組みと検知回避について
chayakonanaika
12
5k
Iceberg Meetup Japan #1 : Iceberg and Databricks
databricksjapan
0
380
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
160
システム・ML活用を広げるdbtのデータモデリング / Expanding System & ML Use with dbt Modeling
i125
1
330
Active Directory攻防
cryptopeg
PRO
8
5.6k
AWS Well-Architected Frameworkで学ぶAmazon ECSのセキュリティ対策
umekou
2
150
遷移の高速化 ヤフートップの試行錯誤
narirou
6
1.5k
依存パッケージの更新はコツコツが勝つコツ! / phpcon_nagoya2025
blue_goheimochi
3
220
Featured
See All Featured
Building Applications with DynamoDB
mza
93
6.2k
Designing on Purpose - Digital PM Summit 2013
jponch
117
7.1k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Adopting Sorbet at Scale
ufuk
74
9.2k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Producing Creativity
orderedlist
PRO
344
40k
Documentation Writing (for coders)
carmenintech
67
4.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
100
18k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
How to Ace a Technical Interview
jacobian
276
23k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Transcript
(3) ެ։伴ج൫ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 6/23/2017
PKIͷత • ެ։伴҉߸Ͱެ։伴Λ࣋ͭ૬खͱ҆શʹ௨৴͕Ͱ͖Δ • Q. ͦΕ·Ͱʹձͬͨ͜ͱͷͳ͍૬खͱ௨৴͢Δʹʁ • Q. ެ։伴ͷอํ๏ɺࣦޮํ๏ʁ
3.1 ΠϯλʔωοτPKI ձͬͨ͜ͱͳ͍ऀͲ͏͠Ͱͷ҆શͳ௨৴Λ࣮ݱ͢Δ → શһ͕ແ ݅ʹ৴པ͢Δূ໌ॻͷൃߦΛɺ৴པͷ͓͚ΔୈࡾऀػؔʹҕͶΔ ϞσϧΛऔΔɻ (note: PKIʹ͓͚Δʮ৴པʯͱɺʮূ໌ॻ͕τϥετετΞʹؚ ·Ε͍ͯΔCAʹΑͬͯݕূͰ͖Δʯͱ͍͏ٕज़తͳ༻ޠɻ)
ূ໌ॻॴ༗ऀ (Subscriber, End-entity) →ΤϯυϢʔβʔ͕ΞΫηε͢ΔαʔϏεͷཧओମɻ ূ໌ॻར༻ऀ (Relying Party) →ΤϯυϢʔβʔɻݫີʹΤϯυϢʔβʔͷWebϒϥβ/OSɻ
RA (ొہ, Registration Authority) ূ໌ॻͷൃߦʹؔ࿈ͨ͠ϚωδϝϯτΛߦ͏ɻূ໌ॻॴ༗ऀͷຊ ਓ֬ೝɻ CA (ೝূہ, Certification Authority)
ূ໌ॻͷൃߦΛߦ͏ओମɻূ໌ॻͷࣦޮใΛΦϯϥΠϯͰఏڙ ͢Δׂ͋Δɻ ࣮ࡍCAͷଟ͕͘RAͷׂՌ͍ͨͯ͠Δɻ
3.2 ূ໌ॻͷඪ४ • X.509ʢσΟϨΫτϦαʔϏε͚ʹઃܭ͞Εͨެ։伴ج൫ͷඪ ४ʣˠPKIX WGʹΑΔΠϯλʔωοτ͚ͷඪ४Խ: RFC 5280 • ূ໌ॻͷϑΥʔϚοτɺ৴པύεɺCRL
• CA/Browser Forum: ূ໌ॻͷൃߦ/ॲཧͷඪ४ԽΛߦ͏CAͱϒϥ βϕϯμʔΒʹΑΔஂମ • Baseline Requirements: CA͕ै͏͜ͱ͕ٻΊΒΕΔূ໌ॻൃߦ ͷج४ • IETF Web PKI WG
3.3 ূ໌ॻ • ެ։伴 • ެ։伴ʹඥ͚ΒΕͨओମʹؔ͢Δใ • ൃߦͨ͠ओମͷσΟδλϧॺ໊ ؚ͕·ΕΔσΟδλϧจॻɻ
3.3 ূ໌ॻ ASN.1, DER, PEM ASN.1: ΦϒδΣΫτ/σʔλߏͷΤϯίʔυํࣜͷͻͱͭɻ X.509ͰΘΕΔͷDER(Distinguished Encoding Rules)ϑΥʔϚο
τɻDERΛBase64Τϯίʔυͨ͠ͷ͕PEMɻ ΦϯϥΠϯͷσίʔμʔ: http:/ /lapo.it/asn1js
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ ࣮ࡍʹূ໌ॻΛऔಘͯ͠ΈΔɻ $ openssl s_client -showcerts -connect
google.com:443 (ϋϯυγΣΠΫ·Ͱཱ֬ͨ͠ΒCtrl-CͰதஅ͢Δ) -----BEGIN CERTIFICATE----- Ͱ࢝·ͬͯ -----END CERTIFICATE----- ͰऴΘΔͷ͕1ͭͷূ໌ॻɻ ࠷ॳͷմΛASN.1ͷΦϯϥΠϯσίʔμʔʹ͔͚Δɻ
None
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Version: [0] (1 elem) ->
INTEGER 2 • Serial Number: INTEGER (63 bit) 5123627332963584822 • Signature Algorithm • ࣍ͷSEQUENCEͷதɻOBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Issuer • ͦͷ࣍ͷSEQUENCE (3 elem)ͷத
• /C=US/O=Google Inc/CN=Google Internet Authority G2 ͱදه͞ΕΔ
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Validity • ։࢝࣌ 2017-05-03 08:56:04
UTC • ऴྃ࣌ 2017-07-26 08:42:00 UTC • Subject • /C=US/ST=California/L=Mountain View/O=Google Inc/ CN=*.google.com
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • PublicKey • ΞϧΰϦζϜ : rsaEncryption
(PKCS #1) • ͦͷ͋ͱʹެ։伴͕ೖ͍ͬͯΔ • RSA҉߸ʹ͓͚Δ ͷϖΞͷ͏ͪɺ࠷ॳͷ͍ͷ͕2ͭͷ ૉͷੵ ɺͰ͏ยํ͕ ʢ3͔65537͕ଟ͍ʣ • Ͱ ͕ൿີ伴
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு [3]ҎԼʹೖ͍ͬͯΔSEQUENCE͕ͦΕɻ • Extended Key Usage •
serverAuth, clientAuth͕ೖ͍ͬͯΔɻίʔυαΠχϯά༻ ূ໌ॻͩͱcodeSigning͕ೖ͍ͬͯΔɻ • ຊདྷΤϯυΤϯςΟςΟ༻ূ໌ॻʹͷΈΘΕΔ͖ͱ͞Ε ͍ͯΔ͕(@RFC 5280)ɺ࣮ࡍதؒCAূ໌ॻ͕ൃߦͨ͠ূ໌ ॻʹରͯ͠ΘΕ͍ͯΔɻ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Subject Alternative Name • ҎલSubjectͷCNཁૉͷϗετ໊Λ͍͕ͬͯͨɺSAN֦ு
ʹΑͬͯ: • ෳͷओମʹର͢Δূ໌ॻΛ1ͭʹ·ͱΊΒΕΔ • DNS໊/IPΞυϨε/URIͰओମΛදݱͰ͖Δ • GoogleͷྫͰccTLDҧ͍ؔ࿈͢ΔυϝΠϯฒΜͰ͍Δ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Information Access • ocsp:
OCSPϨεϙϯμͷॴ • caIssuers: CAͷূ໌ॻͷॴ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • SubjectKeyIdentifier • ಛఆͷ伴Λ࣋ͭূ໌ॻͷࣝผ༻ͷɻϋογϡͰ࡞Δɻ • CA͕ൃߦͨ͠ূ໌ॻͷ͜Ε
= CAͷূ໌ॻͷAuthority Key Identifier
ྫ authorityInfoAccessͷcaIssuers͔ΒCAূ໌ॻΛऔΔɻ $ wget http://pki.google.com/GIAG2.crt $ openssl x509 -in GIAG2.crt
-inform DER -out GIAG2.pem -outform PEM ͱͯ͠ಘΒΕͨPEMΛσίʔμʔʹ͔͚Δɻ • ূ໌ॻͷAKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F • CAূ໌ॻͷSKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F Ұகͨ͠ʂ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Basic Constraints • CAূ໌ॻͰ͋Δ͜ͱΛࣔ͠ɺԼҐCAͷূ໌ॻύεͷਂ͞Λ੍ ޚ͢Δ...͕͜ͷূ໌ॻCAূ໌ॻͰͳ͍ͷͰOCTET
STRING -> SEQUENCEͷத͕ۭ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Key Identifier • ূ໌ॻʹର͢Δॺ໊ͷ伴Λಛఆ͢Δͷɻͷূ໌ॻͷࣝผ
ͷͨΊʹ͏ɻ • ͜Εͷͷূ໌ॻͷSubject Key IdentifierͱҰக͢Δϋζɻ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Certificate Policies • ϙϦγʔ͕ೖ͍ͬͯΔ •
OIDͱݶఆࢠ͕ೖ͍ͬͯΔ…͕͜͜Ͱݶఆࢠೖ͍ͬͯͳ ͍ɻ • Baseline RequirementsʹΑΔͱඞͣ1ͭඞཁ
None
Let's EncryptͰऔͬͨূ໌ॻΛݟͯΈͨΒ • http:/ /cps.letsencrypt.org ͱ͍͏URLͱ • "This Certificate may
only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https:/ / letsencrypt.org/repository" ͱॻ͍ͯ͋Δ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • CRL Distribution Points • Certificate
Revocation List(ূ໌ॻࣦޮϦετ)ͷॴΛࣔ͢ͷʹ ΘΕΔɻ • Baseline RequirementsʹΑΔͱCRL͘͠OCSPͷͲͪΒ͔ ͰࣦޮใΛࣔ͢ඞཁ͕͋Δɻ • ͦ͏͍͑͜ͷূ໌ॻʹName Constraintsೖͬͯͳ͔ͬͨɻ
3.4 ূ໌ॻνΣʔϯ ݸผͷূ໌ॻͷݕূ͚ͩͰݕূෆेͰɺϧʔτͱ࿈ͳΔ ূ໌ॻνΣʔϯΛ४උ͢Δඞཁ͕͋Δɻ • ϧʔτΛ҆શʹอͭ • ී௨ϧʔτCAূ໌ॻͰΤϯυΤϯςΟςΟ͚ূ໌ॻΛൃߦ ͠ͳ͍ɻதؒCAূ໌ॻΛ͏ɻ •
Baseline RequirementsͰϧʔτ伴Λ͏ͱ͖खͰίϚϯ υΛୟ͘Α͏ཁٻ͍ͯ͠Δ = ϧʔτ伴ΦϑϥΠϯͰอ ͓͖ͯ͘͠
3.4 ূ໌ॻνΣʔϯ • ૬ޓೝূূ໌ॻ • ৽͘͠CAͷӡ༻Λ࢝ΊΔͨΊʹඞཁ • ۠ըԽ • ԼҐCAূ໌ॻؒͰӡ༻Λׂ
• ҕৡ • ؔ࿈৫ʹҕৡ͢Δ͜ͱ͕͋Δ
3.4 ূ໌ॻνΣʔϯ αʔό͕ఏࣔͰ͖Δূ໌ॻνΣʔϯ1͚͕࣮ͭͩͩࡍଟ༷ͳ৴ པύε͕͋Γ͏Δʢ૬ޓೝূͷ߹ͳͲʣɻ ύεͷߏஙʹΑΔαʔόଆɾΫϥΠΞϯτଆͷ྆ํͰ͋Γ ͏Δʢˠ6.1અʣɻ
3.5 ূ໌ॻར༻ऀ ৴༻͢Δϧʔτূ໌ॻͷҰཡͲ͜ʹ͋Δʁ • جຊతʹOS͕༻ҙ͍ͯ͠Δ • MozillaෳϓϥοτϑΥʔϜ͚ʹಠࣗͷϧʔττϥετε τΞΛ༻ҙ͍ͯ͠Δ • ChromeͰՃͷϧʔϧΛ͍͔ͭ͘༻ҙ
3.5 ূ໌ॻར༻ऀ ChromeͷRoot Certificate Policy ʹΑΔͱ: • "EV-Qualified"ͳroot certificateͷҰཡΛϋʔυίʔυͯ࣋ͬͯ͠ ͍Δ
• EVূ໌ॻCertificate TransparencyΛཁٻ • OSͷroot certificate listʹ͋Δূ໌ॻͷdistrustΛ͢ΔݖརΛ Chromeଆ͕อ࣋ʹϒϥοΫϦετΛ͍࣋ͬͯΔ
3.6 CA ʮݱࡏͷΠϯλʔωοτʹ͓͚ΔτϥετϞσϧͰ࠷ॏཁͳ ׂΛՌͨ͢ͷ͕CAʯɻ ͍͢͝ݴΘΕΑ͏͕ͩɺύϒϦοΫCAʹͳΔͨΊʹɿ • 1b. ͖ΘΊͯػහͳϧʔτCAূ໌ॻͱɺԼҐCAূ໌ॻͷ伴Λ ޚͭͭ͠ɺۀతӡ༻͕Մೳͳڧݻ͔ͭ҆શͰ۠ըԽ͞Εͨω οτϫʔΫΛઃܭ͢Δ͜ͱ
• 1f. άϩʔόϧͳCRL͓ΑͼOCSPͷج൫Λ༻ҙ͢Δ͜ͱ ͋ͨΓ͕Ͱ͖Δͱ͜Ζ͕·ͣݶΒΕͯ·͢Ͷ…
3.7 ূ໌ॻͷϥΠϑαΠΫϧ • ূ໌ॻॴ༗ऀ͕CSR(Certificate Signing Request)Λ༻ҙɺͦΕΛ͍ ͣΕ͔ͷCAʹૹ৴ • CSR: ؔ࿈͢Δެ։伴Λ֨ೲɺରԠ͢Δൿີ伴Λ͍࣋ͬͯΔ͜
ͱΛॺ໊Λར༻ͯࣔ͢͠ • CA͕ূ໌ॻͷݕূΛߦ͏ • ূ໌ॻΛൃߦɻϧʔτCAূ໌ॻʹͨͲΓண͘ͷʹඞཁͳதؒCA ূ໌ॻൃߦɻ • ظݶΕ·Ͱ͑Δɻظݶ͕ΕͨΒҰ͔ΒΓ͢ɻ
3.7 ূ໌ॻͷϥΠϑαΠΫϧ • DVূ໌ॻ(Domain Validation) • υϝΠϯͷॴ༗ͷΈΛ֬ೝ͢Δɻ • OVূ໌ॻ(Organization Validation)
• ৫ͷ࣮ࡏੑɾຊਓੑূ໌͕ೖΔɻ • EVূ໌ॻ(Extended Validation) • OVূ໌ॻͷݕূΛΑΓݫ֨ʹͨ͠ͷɻURLόʔʹاۀ໊͕ ग़ͯ͘Δɻ
3.8 ࣦޮ CRL(Certificate Revocation List) ظݶΕʹͳ͍ͬͯͳ͍͕ࣦޮͨ͠ূ໌ॻͷγϦΞϧ൪߸Λྻڍ ͨ͠ͷɻ ͱͯ͠ංେԽͯ͠ݕࡧ͢Δͷ͕େมɻ
3.8 ࣦޮ OCSP(Online Certificate Status Protocol) ୯Ұͷূ໌ॻͷࣦޮঢ়ଶΛূ໌ॻར༻ऀ͕औಘͰ͖ΔΑ͏ʹ͢Δ ΈɻOCSPαʔόͷ͜ͱΛOCSPϨεϙϯμͱݺͿɻOCSPϨε ϙϯμͷҐஔAuthority Information
Access֦ுʹॻ͔ΕΔɻ ύϑΥʔϚϯεͷ: ຖճ͍߹ΘͤΔͱϨΠςϯγ͠ΜͲ͍ɻ ϓϥΠόγʔͷ: OCSPϨεϙϯμͷ௨৴ݟͨΒͲͷূ໌ॻ ͓͏ͱͯ͠Δ͔Θ͔ͬͪΌ͏ɻ →OCSPεςʔϓϦϯάͰղܾΛࢦ͢ɻ
3.9 ऑ ·ͣΤίγεςϜࣗମͷऑͱͯ͠ɺCAͱϒϥβϕϯμʔͱ͍ ͏Ӧརஂମʹґଘ͍ͯ͠Δͱ͍͏͕͋ΔɻӦརஂମͰ͋ΔҎ ্ηΩϡϦςΟ࠷༏ઌࣄ߲Ͱͳ͍ʢҟ͋Δ͕ʣ
3.9 ऑ ূ໌ॻͷൃߦʹࡍͯ͠υϝΠϯॴ༗ऀͷڐՄ͕ٻ ΊΒΕͳ͍ CAڐՄͳ͘ͲΜͳυϝΠϯͷূ໌ॻͰൃߦͰ͖Δɻʹٕज़త ʹCAͷखൈ͖աࣦ͔ΒΛकΔखஈ͕ͳ͍ɻ ৴པΛਝʹ෮چͰ͖ͳ͍ ʹಛఆͷূ໌ॻʹ͍ͭͯɺall-or-nothingͰ৴པ͢Δ͔͠ͳ͍͔ͷ બࢶ͔͠ͳ͍ɻ
3.9 ऑ υϝΠϯͷݕূ͕ऑ͍ WHOISϓϩτίϧͰऔಘͰ͖ΔυϝΠϯ໊ͷॴ༗ऀใʹͱͮ ͍ͯൃߦ͞ΕΔ ʢͱ͍͏͚Ͳɺ͜ͷΜ࠷ۙLet's EncryptͰWHOISใͱҧ͏ϝʔ ϧΞυϨεͰ͋ΔυϝΠϯͷূ໌ॻΛऔಘͨ͠ͷͰɺDVূ໌ॻͷ ݕূϓϩτίϧACMEͰएׯख͕ೖͬͨͱࢥΘΕΔʣ
3.9 ऑ ࣦޮ͕͏·͍͔͘ͳ͍ CAͷʹରͯ͠ϒϥοΫϦετͰհೖ͢Δ͔͠ͳ͔ͬͨɻ • Baseline Requirementsʹ͓͍ͯCRL/OCSPͷใ10ؒ·Ͱ ༗ޮͳ··ʹ͢Δ͜ͱ͕ڐ͞Ε͍ͯΔ • ݱߦͷͯ͢ͷϒϥβͰʮࣦޮใͷऔಘʹࣦഊͯ͠શମ
ͱͯ͠fail͠ͳ͍ʯʹsoft fail͕औΒΕ͍ͯΔ
3.9 ऑ ূ໌ॻͷܯࠂ͕ηΩϡϦςΟͷҙਤΛແ͠ʹ͢ Δ ϒϥβͷܯࠂΈΜͳແࢹ͢ΔΑͶɺͱ͍͏͔ແࢹ͠Ζͱݴͬͯ ΔαΠτ͋ΔΑͶ… ͜͜ʹ͍ΔΈͳ͞Μେৎͩͱࢥ͍·͕͢ɺཔΉ͔ΒDVূ໌ॻ ͢ΒऔΒͳ͍ͰެతαʔϏεӡ༻ͯ͠Δۀऀഇۀͯ͠Ͳ͏ͧɺ ಛʹ͓ۚབྷΉͳΒEVऔͬͯ
3.10 ϧʔτCAূ໌ॻͷ伴ͷةຆԽ ࠷࣮֬ʹϧʔτCAͷ伴߈ܸ͢Ε͍͍ΑͶʂ • ݖݶͰൿີ伴Λఏڙ͢ΔΑ͏ཁٻ͢Δ • ৽نʹCAΛઃஔͯ͠τϥετετΞʹϧʔτCAূ໌ॻΛೖΕΔ • 1024Ϗοτͷ伴Ͱ͋Ε2003࣌Ͱ1000ສถυϧͷϚγϯ ͕͋Ε1ͰഁΕΔͱͷݟੵΓɻ2013ʹ100ສถυϧʹ
Ҿ͖Լ͛ɻ1024Ϗοτ伴Λ͏ͷΛΊΑ͏ʂ → 201510݄ ʹશϧʔτCAূ໌ॻ2048ϏοτҎ্ʹҠߦ
3.11 ΤίγεςϜͷ؍ଌ Internet SSL Survey 2010, The EFF SSL Observatory
ͳͲɺPKIΤίγ εςϜͷεΩϟχϯάɾϞχλϦϯάʹؔ͢Δɻ ΒΕͯͳ͔ͬͨࣄ࣮ͱͯ͠ɺCA͕ϓϥΠϕʔτIPΞυϨε͚ͷ ূ໌ॻશम০Ͱͳ͍υϝΠϯ໊͚ͷূ໌ॻΛൃߦ͍ͯͨ͠ ࣄ࣮ͳͲ͕Θ͔ͬͨɻ
3.12 վળ Perspectives ʮTLSͷೝূΛิॿ͢Δಠཱͨ͠ެূਓʯ ΫϥΠΞϯτ୯ಠͰূ໌ॻͷೝূΛܾΊΒΕͳ͍ Convergence Perspectivesͷ֦ுɻެূਓͷϦΫΤετʹෳͷϓϩΩγαʔ όΛհࡏͤ͞Δɻʢ͋·ΓΞΫςΟϒͰͳ͍ʣ
3.12 վળ ެ։伴ϐϯχϯά αΠτͷॴ༗ऀ͕৴པͰ͖ΔCAΛબͰ͖Δɻ ChromeͰಠ࣮ࣗɺHPKP͕RFC 7469ͱͯ͠ඪ४Խɻ DANE DNSSECͱTLSೝূͷڮ͠Λ͢Δɻ DNSSEC: DNSκʔϯͷॺ໊ʹ͏伴ΛυϝΠϯ໊ʹؔ࿈͚ͮΔ
3.12 վળ ιϒϦϯ伴 ՃͷηΩϡϦςΟอূΛಋೖɻެతʹݕূՄೳͳϩάʹه͞ ΕΔ伴ΛͬͯυϝΠϯ໊Λओு͢ΔɻιϒϦϯ伴Λࣦͬͯ͠· ͬͨΒճ෮͢Δखஈ͕ͳ͍ɻ·ͩΞΠσΞϨϕϧɻ MECAI(Mutually Endorsing CA Infrastructure)
ެূਓΛ͏ํ๏Ͱɺͦͷج൫ΛCA͕ӡ༻͢ΔɻΞΠσΞϨϕ ϧɻ
3.12 վળ CT(Certificate Transparency) ূ໌ॻͷࠪͱϞχλϦϯάͷͨΊͷϑϨʔϜϫʔΫɻCAൃߦ ͢Δূ໌ॻΛެ։ͷϩάʹૹΓɺૹͬͨ͜ͱͷ҉߸ֶతͳূ໌Λ खʹೖΕΔɻChromeͰEVূ໌ॻCTରԠ͕ཁٻ͞Ε͍ͯΔɻ TACK(Trust Assurances for
Certificate Keys) αʔό͕ఏڙͨ͠ॺ໊伴ΛϐϯཹΊ͢ΔɻCAͷΠϯϑϥʹґଘ͠ ͳͯ͘ࡁΉΑ͏ʹͳΔɻެࣜʹαϙʔτ͢ΔΫϥΠΞϯτ·ͩ