Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
『プロフェッショナルSSL/TLS』読書会 第3章資料
Search
sylph01
June 23, 2017
Technology
0
580
『プロフェッショナルSSL/TLS』読書会 第3章資料
https://ptls-study.connpass.com/event/59328/
sylph01
June 23, 2017
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
91
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
31
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
250
Adding Security to Microcontroller Ruby
sylph01
2
3.3k
Secure Messaging at IETF 118
sylph01
0
84
Adventures in the Dungeons of OpenSSL
sylph01
0
530
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
330
Build and Learn Rails Authentication
sylph01
8
2.1k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
310
Other Decks in Technology
See All in Technology
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
190
AIエージェント元年@日本生成AIユーザ会
shukob
1
200
スキルだけでは満たせない、 “組織全体に”なじむオンボーディング/Onboarding that fits “throughout the organization” and cannot be satisfied by skills alone
bitkey
0
170
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
130
OPENLOGI Company Profile for engineer
hr01
1
20k
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
620
役員・マネージャー・著者・エンジニアそれぞれの立場から見たAWS認定資格
nrinetcom
PRO
3
5.8k
(機械学習システムでも) SLO から始める信頼性構築 - ゆる SRE#9 2025/02/21
daigo0927
0
260
RayでPHPのデバッグをちょっと快適にする
muno92
PRO
0
190
CDKでカスタムランタイムを作成して、Lambdaをnode.js23+TypeScriptで動かしてみた
smt7174
2
110
「正しく」失敗できる チームの作り方 〜リアルな事例から紐解く失敗を恐れない組織とは〜 / A team that can fail correctly
i35_267
5
850
AIエージェント時代のエンジニアになろう #jawsug #jawsdays2025 / 20250301 Agentic AI Engineering
yoshidashingo
8
3.5k
Featured
See All Featured
Music & Morning Musume
bryan
46
6.4k
How GitHub (no longer) Works
holman
314
140k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Thoughts on Productivity
jonyablonski
69
4.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Transcript
(3) ެ։伴ج൫ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 6/23/2017
PKIͷత • ެ։伴҉߸Ͱެ։伴Λ࣋ͭ૬खͱ҆શʹ௨৴͕Ͱ͖Δ • Q. ͦΕ·Ͱʹձͬͨ͜ͱͷͳ͍૬खͱ௨৴͢Δʹʁ • Q. ެ։伴ͷอํ๏ɺࣦޮํ๏ʁ
3.1 ΠϯλʔωοτPKI ձͬͨ͜ͱͳ͍ऀͲ͏͠Ͱͷ҆શͳ௨৴Λ࣮ݱ͢Δ → શһ͕ແ ݅ʹ৴པ͢Δূ໌ॻͷൃߦΛɺ৴པͷ͓͚ΔୈࡾऀػؔʹҕͶΔ ϞσϧΛऔΔɻ (note: PKIʹ͓͚Δʮ৴པʯͱɺʮূ໌ॻ͕τϥετετΞʹؚ ·Ε͍ͯΔCAʹΑͬͯݕূͰ͖Δʯͱ͍͏ٕज़తͳ༻ޠɻ)
ূ໌ॻॴ༗ऀ (Subscriber, End-entity) →ΤϯυϢʔβʔ͕ΞΫηε͢ΔαʔϏεͷཧओମɻ ূ໌ॻར༻ऀ (Relying Party) →ΤϯυϢʔβʔɻݫີʹΤϯυϢʔβʔͷWebϒϥβ/OSɻ
RA (ొہ, Registration Authority) ূ໌ॻͷൃߦʹؔ࿈ͨ͠ϚωδϝϯτΛߦ͏ɻূ໌ॻॴ༗ऀͷຊ ਓ֬ೝɻ CA (ೝূہ, Certification Authority)
ূ໌ॻͷൃߦΛߦ͏ओମɻূ໌ॻͷࣦޮใΛΦϯϥΠϯͰఏڙ ͢Δׂ͋Δɻ ࣮ࡍCAͷଟ͕͘RAͷׂՌ͍ͨͯ͠Δɻ
3.2 ূ໌ॻͷඪ४ • X.509ʢσΟϨΫτϦαʔϏε͚ʹઃܭ͞Εͨެ։伴ج൫ͷඪ ४ʣˠPKIX WGʹΑΔΠϯλʔωοτ͚ͷඪ४Խ: RFC 5280 • ূ໌ॻͷϑΥʔϚοτɺ৴པύεɺCRL
• CA/Browser Forum: ূ໌ॻͷൃߦ/ॲཧͷඪ४ԽΛߦ͏CAͱϒϥ βϕϯμʔΒʹΑΔஂମ • Baseline Requirements: CA͕ै͏͜ͱ͕ٻΊΒΕΔূ໌ॻൃߦ ͷج४ • IETF Web PKI WG
3.3 ূ໌ॻ • ެ։伴 • ެ։伴ʹඥ͚ΒΕͨओମʹؔ͢Δใ • ൃߦͨ͠ओମͷσΟδλϧॺ໊ ؚ͕·ΕΔσΟδλϧจॻɻ
3.3 ূ໌ॻ ASN.1, DER, PEM ASN.1: ΦϒδΣΫτ/σʔλߏͷΤϯίʔυํࣜͷͻͱͭɻ X.509ͰΘΕΔͷDER(Distinguished Encoding Rules)ϑΥʔϚο
τɻDERΛBase64Τϯίʔυͨ͠ͷ͕PEMɻ ΦϯϥΠϯͷσίʔμʔ: http:/ /lapo.it/asn1js
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ ࣮ࡍʹূ໌ॻΛऔಘͯ͠ΈΔɻ $ openssl s_client -showcerts -connect
google.com:443 (ϋϯυγΣΠΫ·Ͱཱ֬ͨ͠ΒCtrl-CͰதஅ͢Δ) -----BEGIN CERTIFICATE----- Ͱ࢝·ͬͯ -----END CERTIFICATE----- ͰऴΘΔͷ͕1ͭͷূ໌ॻɻ ࠷ॳͷմΛASN.1ͷΦϯϥΠϯσίʔμʔʹ͔͚Δɻ
None
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Version: [0] (1 elem) ->
INTEGER 2 • Serial Number: INTEGER (63 bit) 5123627332963584822 • Signature Algorithm • ࣍ͷSEQUENCEͷதɻOBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Issuer • ͦͷ࣍ͷSEQUENCE (3 elem)ͷத
• /C=US/O=Google Inc/CN=Google Internet Authority G2 ͱදه͞ΕΔ
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Validity • ։࢝࣌ 2017-05-03 08:56:04
UTC • ऴྃ࣌ 2017-07-26 08:42:00 UTC • Subject • /C=US/ST=California/L=Mountain View/O=Google Inc/ CN=*.google.com
3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • PublicKey • ΞϧΰϦζϜ : rsaEncryption
(PKCS #1) • ͦͷ͋ͱʹެ։伴͕ೖ͍ͬͯΔ • RSA҉߸ʹ͓͚Δ ͷϖΞͷ͏ͪɺ࠷ॳͷ͍ͷ͕2ͭͷ ૉͷੵ ɺͰ͏ยํ͕ ʢ3͔65537͕ଟ͍ʣ • Ͱ ͕ൿີ伴
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு [3]ҎԼʹೖ͍ͬͯΔSEQUENCE͕ͦΕɻ • Extended Key Usage •
serverAuth, clientAuth͕ೖ͍ͬͯΔɻίʔυαΠχϯά༻ ূ໌ॻͩͱcodeSigning͕ೖ͍ͬͯΔɻ • ຊདྷΤϯυΤϯςΟςΟ༻ূ໌ॻʹͷΈΘΕΔ͖ͱ͞Ε ͍ͯΔ͕(@RFC 5280)ɺ࣮ࡍதؒCAূ໌ॻ͕ൃߦͨ͠ূ໌ ॻʹରͯ͠ΘΕ͍ͯΔɻ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Subject Alternative Name • ҎલSubjectͷCNཁૉͷϗετ໊Λ͍͕ͬͯͨɺSAN֦ு
ʹΑͬͯ: • ෳͷओମʹର͢Δূ໌ॻΛ1ͭʹ·ͱΊΒΕΔ • DNS໊/IPΞυϨε/URIͰओମΛදݱͰ͖Δ • GoogleͷྫͰccTLDҧ͍ؔ࿈͢ΔυϝΠϯฒΜͰ͍Δ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Information Access • ocsp:
OCSPϨεϙϯμͷॴ • caIssuers: CAͷূ໌ॻͷॴ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • SubjectKeyIdentifier • ಛఆͷ伴Λ࣋ͭূ໌ॻͷࣝผ༻ͷɻϋογϡͰ࡞Δɻ • CA͕ൃߦͨ͠ূ໌ॻͷ͜Ε
= CAͷূ໌ॻͷAuthority Key Identifier
ྫ authorityInfoAccessͷcaIssuers͔ΒCAূ໌ॻΛऔΔɻ $ wget http://pki.google.com/GIAG2.crt $ openssl x509 -in GIAG2.crt
-inform DER -out GIAG2.pem -outform PEM ͱͯ͠ಘΒΕͨPEMΛσίʔμʔʹ͔͚Δɻ • ূ໌ॻͷAKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F • CAূ໌ॻͷSKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F Ұகͨ͠ʂ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Basic Constraints • CAূ໌ॻͰ͋Δ͜ͱΛࣔ͠ɺԼҐCAͷূ໌ॻύεͷਂ͞Λ੍ ޚ͢Δ...͕͜ͷূ໌ॻCAূ໌ॻͰͳ͍ͷͰOCTET
STRING -> SEQUENCEͷத͕ۭ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Key Identifier • ূ໌ॻʹର͢Δॺ໊ͷ伴Λಛఆ͢Δͷɻͷূ໌ॻͷࣝผ
ͷͨΊʹ͏ɻ • ͜Εͷͷূ໌ॻͷSubject Key IdentifierͱҰக͢Δϋζɻ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Certificate Policies • ϙϦγʔ͕ೖ͍ͬͯΔ •
OIDͱݶఆࢠ͕ೖ͍ͬͯΔ…͕͜͜Ͱݶఆࢠೖ͍ͬͯͳ ͍ɻ • Baseline RequirementsʹΑΔͱඞͣ1ͭඞཁ
None
Let's EncryptͰऔͬͨূ໌ॻΛݟͯΈͨΒ • http:/ /cps.letsencrypt.org ͱ͍͏URLͱ • "This Certificate may
only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https:/ / letsencrypt.org/repository" ͱॻ͍ͯ͋Δ
3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • CRL Distribution Points • Certificate
Revocation List(ূ໌ॻࣦޮϦετ)ͷॴΛࣔ͢ͷʹ ΘΕΔɻ • Baseline RequirementsʹΑΔͱCRL͘͠OCSPͷͲͪΒ͔ ͰࣦޮใΛࣔ͢ඞཁ͕͋Δɻ • ͦ͏͍͑͜ͷূ໌ॻʹName Constraintsೖͬͯͳ͔ͬͨɻ
3.4 ূ໌ॻνΣʔϯ ݸผͷূ໌ॻͷݕূ͚ͩͰݕূෆेͰɺϧʔτͱ࿈ͳΔ ূ໌ॻνΣʔϯΛ४උ͢Δඞཁ͕͋Δɻ • ϧʔτΛ҆શʹอͭ • ී௨ϧʔτCAূ໌ॻͰΤϯυΤϯςΟςΟ͚ূ໌ॻΛൃߦ ͠ͳ͍ɻதؒCAূ໌ॻΛ͏ɻ •
Baseline RequirementsͰϧʔτ伴Λ͏ͱ͖खͰίϚϯ υΛୟ͘Α͏ཁٻ͍ͯ͠Δ = ϧʔτ伴ΦϑϥΠϯͰอ ͓͖ͯ͘͠
3.4 ূ໌ॻνΣʔϯ • ૬ޓೝূূ໌ॻ • ৽͘͠CAͷӡ༻Λ࢝ΊΔͨΊʹඞཁ • ۠ըԽ • ԼҐCAূ໌ॻؒͰӡ༻Λׂ
• ҕৡ • ؔ࿈৫ʹҕৡ͢Δ͜ͱ͕͋Δ
3.4 ূ໌ॻνΣʔϯ αʔό͕ఏࣔͰ͖Δূ໌ॻνΣʔϯ1͚͕࣮ͭͩͩࡍଟ༷ͳ৴ པύε͕͋Γ͏Δʢ૬ޓೝূͷ߹ͳͲʣɻ ύεͷߏஙʹΑΔαʔόଆɾΫϥΠΞϯτଆͷ྆ํͰ͋Γ ͏Δʢˠ6.1અʣɻ
3.5 ূ໌ॻར༻ऀ ৴༻͢Δϧʔτূ໌ॻͷҰཡͲ͜ʹ͋Δʁ • جຊతʹOS͕༻ҙ͍ͯ͠Δ • MozillaෳϓϥοτϑΥʔϜ͚ʹಠࣗͷϧʔττϥετε τΞΛ༻ҙ͍ͯ͠Δ • ChromeͰՃͷϧʔϧΛ͍͔ͭ͘༻ҙ
3.5 ূ໌ॻར༻ऀ ChromeͷRoot Certificate Policy ʹΑΔͱ: • "EV-Qualified"ͳroot certificateͷҰཡΛϋʔυίʔυͯ࣋ͬͯ͠ ͍Δ
• EVূ໌ॻCertificate TransparencyΛཁٻ • OSͷroot certificate listʹ͋Δূ໌ॻͷdistrustΛ͢ΔݖརΛ Chromeଆ͕อ࣋ʹϒϥοΫϦετΛ͍࣋ͬͯΔ
3.6 CA ʮݱࡏͷΠϯλʔωοτʹ͓͚ΔτϥετϞσϧͰ࠷ॏཁͳ ׂΛՌͨ͢ͷ͕CAʯɻ ͍͢͝ݴΘΕΑ͏͕ͩɺύϒϦοΫCAʹͳΔͨΊʹɿ • 1b. ͖ΘΊͯػහͳϧʔτCAূ໌ॻͱɺԼҐCAূ໌ॻͷ伴Λ ޚͭͭ͠ɺۀతӡ༻͕Մೳͳڧݻ͔ͭ҆શͰ۠ըԽ͞Εͨω οτϫʔΫΛઃܭ͢Δ͜ͱ
• 1f. άϩʔόϧͳCRL͓ΑͼOCSPͷج൫Λ༻ҙ͢Δ͜ͱ ͋ͨΓ͕Ͱ͖Δͱ͜Ζ͕·ͣݶΒΕͯ·͢Ͷ…
3.7 ূ໌ॻͷϥΠϑαΠΫϧ • ূ໌ॻॴ༗ऀ͕CSR(Certificate Signing Request)Λ༻ҙɺͦΕΛ͍ ͣΕ͔ͷCAʹૹ৴ • CSR: ؔ࿈͢Δެ։伴Λ֨ೲɺରԠ͢Δൿີ伴Λ͍࣋ͬͯΔ͜
ͱΛॺ໊Λར༻ͯࣔ͢͠ • CA͕ূ໌ॻͷݕূΛߦ͏ • ূ໌ॻΛൃߦɻϧʔτCAূ໌ॻʹͨͲΓண͘ͷʹඞཁͳதؒCA ূ໌ॻൃߦɻ • ظݶΕ·Ͱ͑Δɻظݶ͕ΕͨΒҰ͔ΒΓ͢ɻ
3.7 ূ໌ॻͷϥΠϑαΠΫϧ • DVূ໌ॻ(Domain Validation) • υϝΠϯͷॴ༗ͷΈΛ֬ೝ͢Δɻ • OVূ໌ॻ(Organization Validation)
• ৫ͷ࣮ࡏੑɾຊਓੑূ໌͕ೖΔɻ • EVূ໌ॻ(Extended Validation) • OVূ໌ॻͷݕূΛΑΓݫ֨ʹͨ͠ͷɻURLόʔʹاۀ໊͕ ग़ͯ͘Δɻ
3.8 ࣦޮ CRL(Certificate Revocation List) ظݶΕʹͳ͍ͬͯͳ͍͕ࣦޮͨ͠ূ໌ॻͷγϦΞϧ൪߸Λྻڍ ͨ͠ͷɻ ͱͯ͠ංେԽͯ͠ݕࡧ͢Δͷ͕େมɻ
3.8 ࣦޮ OCSP(Online Certificate Status Protocol) ୯Ұͷূ໌ॻͷࣦޮঢ়ଶΛূ໌ॻར༻ऀ͕औಘͰ͖ΔΑ͏ʹ͢Δ ΈɻOCSPαʔόͷ͜ͱΛOCSPϨεϙϯμͱݺͿɻOCSPϨε ϙϯμͷҐஔAuthority Information
Access֦ுʹॻ͔ΕΔɻ ύϑΥʔϚϯεͷ: ຖճ͍߹ΘͤΔͱϨΠςϯγ͠ΜͲ͍ɻ ϓϥΠόγʔͷ: OCSPϨεϙϯμͷ௨৴ݟͨΒͲͷূ໌ॻ ͓͏ͱͯ͠Δ͔Θ͔ͬͪΌ͏ɻ →OCSPεςʔϓϦϯάͰղܾΛࢦ͢ɻ
3.9 ऑ ·ͣΤίγεςϜࣗମͷऑͱͯ͠ɺCAͱϒϥβϕϯμʔͱ͍ ͏Ӧརஂମʹґଘ͍ͯ͠Δͱ͍͏͕͋ΔɻӦརஂମͰ͋ΔҎ ্ηΩϡϦςΟ࠷༏ઌࣄ߲Ͱͳ͍ʢҟ͋Δ͕ʣ
3.9 ऑ ূ໌ॻͷൃߦʹࡍͯ͠υϝΠϯॴ༗ऀͷڐՄ͕ٻ ΊΒΕͳ͍ CAڐՄͳ͘ͲΜͳυϝΠϯͷূ໌ॻͰൃߦͰ͖Δɻʹٕज़త ʹCAͷखൈ͖աࣦ͔ΒΛकΔखஈ͕ͳ͍ɻ ৴པΛਝʹ෮چͰ͖ͳ͍ ʹಛఆͷূ໌ॻʹ͍ͭͯɺall-or-nothingͰ৴པ͢Δ͔͠ͳ͍͔ͷ બࢶ͔͠ͳ͍ɻ
3.9 ऑ υϝΠϯͷݕূ͕ऑ͍ WHOISϓϩτίϧͰऔಘͰ͖ΔυϝΠϯ໊ͷॴ༗ऀใʹͱͮ ͍ͯൃߦ͞ΕΔ ʢͱ͍͏͚Ͳɺ͜ͷΜ࠷ۙLet's EncryptͰWHOISใͱҧ͏ϝʔ ϧΞυϨεͰ͋ΔυϝΠϯͷূ໌ॻΛऔಘͨ͠ͷͰɺDVূ໌ॻͷ ݕূϓϩτίϧACMEͰएׯख͕ೖͬͨͱࢥΘΕΔʣ
3.9 ऑ ࣦޮ͕͏·͍͔͘ͳ͍ CAͷʹରͯ͠ϒϥοΫϦετͰհೖ͢Δ͔͠ͳ͔ͬͨɻ • Baseline Requirementsʹ͓͍ͯCRL/OCSPͷใ10ؒ·Ͱ ༗ޮͳ··ʹ͢Δ͜ͱ͕ڐ͞Ε͍ͯΔ • ݱߦͷͯ͢ͷϒϥβͰʮࣦޮใͷऔಘʹࣦഊͯ͠શମ
ͱͯ͠fail͠ͳ͍ʯʹsoft fail͕औΒΕ͍ͯΔ
3.9 ऑ ূ໌ॻͷܯࠂ͕ηΩϡϦςΟͷҙਤΛແ͠ʹ͢ Δ ϒϥβͷܯࠂΈΜͳແࢹ͢ΔΑͶɺͱ͍͏͔ແࢹ͠Ζͱݴͬͯ ΔαΠτ͋ΔΑͶ… ͜͜ʹ͍ΔΈͳ͞Μେৎͩͱࢥ͍·͕͢ɺཔΉ͔ΒDVূ໌ॻ ͢ΒऔΒͳ͍ͰެతαʔϏεӡ༻ͯ͠Δۀऀഇۀͯ͠Ͳ͏ͧɺ ಛʹ͓ۚབྷΉͳΒEVऔͬͯ
3.10 ϧʔτCAূ໌ॻͷ伴ͷةຆԽ ࠷࣮֬ʹϧʔτCAͷ伴߈ܸ͢Ε͍͍ΑͶʂ • ݖݶͰൿີ伴Λఏڙ͢ΔΑ͏ཁٻ͢Δ • ৽نʹCAΛઃஔͯ͠τϥετετΞʹϧʔτCAূ໌ॻΛೖΕΔ • 1024Ϗοτͷ伴Ͱ͋Ε2003࣌Ͱ1000ສถυϧͷϚγϯ ͕͋Ε1ͰഁΕΔͱͷݟੵΓɻ2013ʹ100ສถυϧʹ
Ҿ͖Լ͛ɻ1024Ϗοτ伴Λ͏ͷΛΊΑ͏ʂ → 201510݄ ʹશϧʔτCAূ໌ॻ2048ϏοτҎ্ʹҠߦ
3.11 ΤίγεςϜͷ؍ଌ Internet SSL Survey 2010, The EFF SSL Observatory
ͳͲɺPKIΤίγ εςϜͷεΩϟχϯάɾϞχλϦϯάʹؔ͢Δɻ ΒΕͯͳ͔ͬͨࣄ࣮ͱͯ͠ɺCA͕ϓϥΠϕʔτIPΞυϨε͚ͷ ূ໌ॻશम০Ͱͳ͍υϝΠϯ໊͚ͷূ໌ॻΛൃߦ͍ͯͨ͠ ࣄ࣮ͳͲ͕Θ͔ͬͨɻ
3.12 վળ Perspectives ʮTLSͷೝূΛิॿ͢Δಠཱͨ͠ެূਓʯ ΫϥΠΞϯτ୯ಠͰূ໌ॻͷೝূΛܾΊΒΕͳ͍ Convergence Perspectivesͷ֦ுɻެূਓͷϦΫΤετʹෳͷϓϩΩγαʔ όΛհࡏͤ͞Δɻʢ͋·ΓΞΫςΟϒͰͳ͍ʣ
3.12 վળ ެ։伴ϐϯχϯά αΠτͷॴ༗ऀ͕৴པͰ͖ΔCAΛબͰ͖Δɻ ChromeͰಠ࣮ࣗɺHPKP͕RFC 7469ͱͯ͠ඪ४Խɻ DANE DNSSECͱTLSೝূͷڮ͠Λ͢Δɻ DNSSEC: DNSκʔϯͷॺ໊ʹ͏伴ΛυϝΠϯ໊ʹؔ࿈͚ͮΔ
3.12 վળ ιϒϦϯ伴 ՃͷηΩϡϦςΟอূΛಋೖɻެతʹݕূՄೳͳϩάʹه͞ ΕΔ伴ΛͬͯυϝΠϯ໊Λओு͢ΔɻιϒϦϯ伴Λࣦͬͯ͠· ͬͨΒճ෮͢Δखஈ͕ͳ͍ɻ·ͩΞΠσΞϨϕϧɻ MECAI(Mutually Endorsing CA Infrastructure)
ެূਓΛ͏ํ๏Ͱɺͦͷج൫ΛCA͕ӡ༻͢ΔɻΞΠσΞϨϕ ϧɻ
3.12 վળ CT(Certificate Transparency) ূ໌ॻͷࠪͱϞχλϦϯάͷͨΊͷϑϨʔϜϫʔΫɻCAൃߦ ͢Δূ໌ॻΛެ։ͷϩάʹૹΓɺૹͬͨ͜ͱͷ҉߸ֶతͳূ໌Λ खʹೖΕΔɻChromeͰEVূ໌ॻCTରԠ͕ཁٻ͞Ε͍ͯΔɻ TACK(Trust Assurances for
Certificate Keys) αʔό͕ఏڙͨ͠ॺ໊伴ΛϐϯཹΊ͢ΔɻCAͷΠϯϑϥʹґଘ͠ ͳͯ͘ࡁΉΑ͏ʹͳΔɻެࣜʹαϙʔτ͢ΔΫϥΠΞϯτ·ͩ