Save 37% off PRO during our Black Friday Sale! »

『プロフェッショナルSSL/TLS』読書会 第3章資料

404139d782ec666acea93dffc86e089f?s=47 sylph01
June 23, 2017

『プロフェッショナルSSL/TLS』読書会 第3章資料

404139d782ec666acea93dffc86e089f?s=128

sylph01

June 23, 2017
Tweet

Transcript

  1. (3) ެ։伴ج൫ @ʰϓϩϑΣογϣφϧSSL/TLSʱಡ ॻձ Ryo Kajiwara (@s01), 6/23/2017

  2. PKIͷ໨త • ެ։伴҉߸Ͱެ։伴Λ࣋ͭ૬खͱ҆શʹ௨৴͕Ͱ͖Δ • Q. ͦΕ·Ͱʹձͬͨ͜ͱͷͳ͍૬खͱ௨৴͢Δʹ͸ʁ • Q. ެ։伴ͷอ؅ํ๏ɺࣦޮํ๏͸ʁ

  3. 3.1 ΠϯλʔωοτPKI ձͬͨ͜ͱͳ͍ऀͲ͏͠Ͱͷ҆શͳ௨৴Λ࣮ݱ͢Δ → શһ͕ແ৚ ݅ʹ৴པ͢Δূ໌ॻͷൃߦΛɺ৴པͷ͓͚ΔୈࡾऀػؔʹҕͶΔ ϞσϧΛऔΔɻ (note: PKIʹ͓͚Δʮ৴པʯͱ͸ɺʮূ໌ॻ͕τϥετετΞʹؚ ·Ε͍ͯΔCAʹΑͬͯݕূͰ͖Δʯͱ͍͏ٕज़తͳ༻ޠɻ)

  4. ূ໌ॻॴ༗ऀ (Subscriber, End-entity) →ΤϯυϢʔβʔ͕ΞΫηε͢ΔαʔϏεͷ؅ཧओମɻ ূ໌ॻར༻ऀ (Relying Party) →ΤϯυϢʔβʔɻݫີʹ͸ΤϯυϢʔβʔͷWebϒϥ΢β/OSɻ

  5. RA (ొ࿥ہ, Registration Authority) ূ໌ॻͷൃߦʹؔ࿈ͨ͠ϚωδϝϯτΛߦ͏ɻূ໌ॻॴ༗ऀͷຊ ਓ֬ೝ౳ɻ CA (ೝূہ, Certification Authority)

    ূ໌ॻͷൃߦΛߦ͏ओମɻূ໌ॻͷࣦޮ৘ใΛΦϯϥΠϯͰఏڙ ͢Δ໾ׂ΋͋Δɻ ࣮ࡍ͸CAͷଟ͕͘RAͷ໾ׂ΋Ռ͍ͨͯ͠Δɻ
  6. 3.2 ূ໌ॻͷඪ४ • X.509ʢσΟϨΫτϦαʔϏε޲͚ʹઃܭ͞Εͨެ։伴ج൫ͷඪ ४ʣˠPKIX WGʹΑΔΠϯλʔωοτ޲͚ͷඪ४Խ: RFC 5280 • ূ໌ॻͷϑΥʔϚοτɺ৴པύεɺCRL

    • CA/Browser Forum: ূ໌ॻͷൃߦ/ॲཧͷඪ४ԽΛߦ͏CAͱϒϥ ΢βϕϯμʔΒʹΑΔஂମ • Baseline Requirements: CA͕ै͏͜ͱ͕ٻΊΒΕΔূ໌ॻൃߦ ͷج४ • IETF Web PKI WG
  7. 3.3 ূ໌ॻ • ެ։伴 • ެ։伴ʹඥ෇͚ΒΕͨओମʹؔ͢Δ৘ใ • ൃߦͨ͠ओମͷσΟδλϧॺ໊ ؚ͕·ΕΔσΟδλϧจॻɻ

  8. 3.3 ূ໌ॻ ASN.1, DER, PEM ASN.1: ΦϒδΣΫτ/σʔλߏ଄ͷΤϯίʔυํࣜͷͻͱͭɻ X.509Ͱ࢖ΘΕΔͷ͸DER(Distinguished Encoding Rules)ϑΥʔϚο

    τɻDERΛBase64Τϯίʔυͨ͠΋ͷ͕PEMɻ ΦϯϥΠϯͷσίʔμʔ: http:/ /lapo.it/asn1js
  9. 3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ ࣮ࡍʹূ໌ॻΛऔಘͯ͠ΈΔɻ $ openssl s_client -showcerts -connect

    google.com:443 (ϋϯυγΣΠΫ·Ͱཱ֬ͨ͠ΒCtrl-CͰதஅ͢Δ) -----BEGIN CERTIFICATE----- Ͱ࢝·ͬͯ -----END CERTIFICATE----- ͰऴΘΔͷ͕1ͭͷূ໌ॻɻ ࠷ॳͷմΛASN.1ͷΦϯϥΠϯσίʔμʔʹ͔͚Δɻ
  10. None
  11. 3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Version: [0] (1 elem) ->

    INTEGER 2 • Serial Number: INTEGER (63 bit) 5123627332963584822 • Signature Algorithm • ࣍ͷSEQUENCEͷத਎ɻOBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
  12. 3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Issuer • ͦͷ࣍ͷSEQUENCE (3 elem)ͷத਎

    • /C=US/O=Google Inc/CN=Google Internet Authority G2 ͱදه͞ΕΔ
  13. 3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • Validity • ։࢝೔࣌ 2017-05-03 08:56:04

    UTC • ऴྃ೔࣌ 2017-07-26 08:42:00 UTC • Subject • /C=US/ST=California/L=Mountain View/O=Google Inc/ CN=*.google.com
  14. 3.3 ূ໌ॻ 3.3.1 ূ໌ॻͷϑΟʔϧυ • PublicKey • ΞϧΰϦζϜ : rsaEncryption

    (PKCS #1) • ͦͷ͋ͱʹެ։伴͕ೖ͍ͬͯΔ • RSA҉߸ʹ͓͚Δ ͷϖΞͷ͏ͪɺ࠷ॳͷ௕͍ͷ͕2ͭͷ ૉ਺ͷੵ ɺͰ΋͏ยํ͕ ʢ3͔65537͕ଟ͍ʣ • Ͱ ͕ൿີ伴
  15. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு [3]ҎԼʹೖ͍ͬͯΔSEQUENCE͕ͦΕɻ • Extended Key Usage •

    serverAuth, clientAuth͕ೖ͍ͬͯΔɻίʔυαΠχϯά༻ ূ໌ॻͩͱcodeSigning͕ೖ͍ͬͯΔɻ • ຊདྷΤϯυΤϯςΟςΟ༻ূ໌ॻʹͷΈ࢖ΘΕΔ΂͖ͱ͞Ε ͍ͯΔ͕(@RFC 5280)ɺ࣮ࡍ͸தؒCAূ໌ॻ͕ൃߦͨ͠ূ໌ ॻʹରͯ͠࢖ΘΕ͍ͯΔɻ
  16. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Subject Alternative Name • Ҏલ͸SubjectͷCNཁૉͷϗετ໊Λ࢖͍͕ͬͯͨɺSAN֦ு

    ʹΑͬͯ: • ෳ਺ͷओମʹର͢Δূ໌ॻΛ1ͭʹ·ͱΊΒΕΔ • DNS໊/IPΞυϨε/URIͰओମΛදݱͰ͖Δ • GoogleͷྫͰ͸ccTLDҧ͍΍ؔ࿈͢ΔυϝΠϯ΋ฒΜͰ͍Δ
  17. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Information Access • ocsp:

    OCSPϨεϙϯμͷ৔ॴ • caIssuers: CAͷূ໌ॻͷ৔ॴ
  18. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • SubjectKeyIdentifier • ಛఆͷ伴Λ࣋ͭূ໌ॻͷࣝผ༻ͷ஋ɻϋογϡ౳Ͱ࡞Δɻ • CA͕ൃߦͨ͠ূ໌ॻͷ͜Ε

    = CAͷূ໌ॻͷAuthority Key Identifier
  19. ྫ authorityInfoAccessͷcaIssuers͔ΒCAূ໌ॻΛऔΔɻ $ wget http://pki.google.com/GIAG2.crt $ openssl x509 -in GIAG2.crt

    -inform DER -out GIAG2.pem -outform PEM ͱͯ͠ಘΒΕͨPEMΛσίʔμʔʹ͔͚Δɻ • ূ໌ॻͷAKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F • CAূ໌ॻͷSKI: 4ADD06161BBCF668B576F581B6BB621ABA5A812F Ұகͨ͠ʂ
  20. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Basic Constraints • CAূ໌ॻͰ͋Δ͜ͱΛࣔ͠ɺԼҐCAͷূ໌ॻύεͷਂ͞Λ੍ ޚ͢Δ...͕͜ͷূ໌ॻ͸CAূ໌ॻͰ͸ͳ͍ͷͰOCTET

    STRING -> SEQUENCEͷத਎͕ۭ
  21. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Authority Key Identifier • ূ໌ॻʹର͢Δॺ໊ͷ伴Λಛఆ͢Δ΋ͷɻ਌ͷূ໌ॻͷࣝผ

    ͷͨΊʹ࢖͏ɻ • ͜Εͷ਌ͷূ໌ॻͷSubject Key IdentifierͱҰக͢Δϋζɻ
  22. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • Certificate Policies • ϙϦγʔ͕ೖ͍ͬͯΔ •

    OIDͱݶఆࢠ͕ೖ͍ͬͯΔ…͕͜͜Ͱ͸ݶఆࢠ͸ೖ͍ͬͯͳ ͍ɻ • Baseline RequirementsʹΑΔͱඞͣ1ͭ͸ඞཁ
  23. None
  24. Let's EncryptͰऔͬͨূ໌ॻΛݟͯΈͨΒ • http:/ /cps.letsencrypt.org ͱ͍͏URLͱ • "This Certificate may

    only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https:/ / letsencrypt.org/repository" ͱॻ͍ͯ͋Δ
  25. 3.3 ূ໌ॻ 3.3.2 ূ໌ॻͷ֦ு • CRL Distribution Points • Certificate

    Revocation List(ূ໌ॻࣦޮϦετ)ͷ৔ॴΛࣔ͢ͷʹ ࢖ΘΕΔɻ • Baseline RequirementsʹΑΔͱCRL΋͘͠͸OCSPͷͲͪΒ͔ Ͱࣦޮ৘ใΛࣔ͢ඞཁ͕͋Δɻ • ͦ͏͍͑͹͜ͷূ໌ॻʹ͸Name Constraints͸ೖͬͯͳ͔ͬͨɻ
  26. 3.4 ূ໌ॻνΣʔϯ ݸผͷূ໌ॻͷݕূ͚ͩͰ͸ݕূ͸ෆे෼Ͱɺϧʔτ΁ͱ࿈ͳΔ ূ໌ॻνΣʔϯΛ४උ͢Δඞཁ͕͋Δɻ • ϧʔτΛ҆શʹอͭ • ී௨ϧʔτCAূ໌ॻͰΤϯυΤϯςΟςΟ޲͚ূ໌ॻΛൃߦ ͠ͳ͍ɻதؒCAূ໌ॻΛ࢖͏ɻ •

    Baseline RequirementsͰ͸ϧʔτ伴Λ࢖͏ͱ͖͸खͰίϚϯ υΛ௚઀ୟ͘Α͏ཁٻ͍ͯ͠Δ = ϧʔτ伴͸ΦϑϥΠϯͰอ ؅͓ͯ͘͠΂͖
  27. 3.4 ূ໌ॻνΣʔϯ • ૬ޓೝূূ໌ॻ • ৽͘͠CAͷӡ༻Λ࢝ΊΔͨΊʹඞཁ • ۠ըԽ • ԼҐCAূ໌ॻؒͰӡ༻Λ෼ׂ

    • ҕৡ • ؔ࿈૊৫ʹҕৡ͢Δ͜ͱ͕͋Δ
  28. 3.4 ূ໌ॻνΣʔϯ αʔό͕ఏࣔͰ͖Δূ໌ॻνΣʔϯ͸1͚͕࣮ͭͩͩࡍ͸ଟ༷ͳ৴ པύε͕͋Γ͏Δʢ૬ޓೝূͷ৔߹ͳͲʣɻ ύεͷߏஙʹΑΔ໰୊͸αʔόଆɾΫϥΠΞϯτଆͷ྆ํͰ͋Γ ͏Δʢˠ6.1અʣɻ

  29. 3.5 ূ໌ॻར༻ऀ ৴༻͢Δϧʔτূ໌ॻͷҰཡ͸Ͳ͜ʹ͋Δʁ • جຊతʹ͸OS͕༻ҙ͍ͯ͠Δ • Mozilla͸ෳ਺ϓϥοτϑΥʔϜ޲͚ʹಠࣗͷϧʔττϥετε τΞΛ༻ҙ͍ͯ͠Δ • ChromeͰ͸௥ՃͷϧʔϧΛ͍͔ͭ͘༻ҙ

  30. 3.5 ূ໌ॻར༻ऀ ChromeͷRoot Certificate Policy ʹΑΔͱ: • "EV-Qualified"ͳroot certificateͷҰཡΛϋʔυίʔυͯ࣋ͬͯ͠ ͍Δ

    • EVূ໌ॻ͸Certificate TransparencyΛཁٻ • OSͷroot certificate listʹ͋Δূ໌ॻͷdistrustΛ͢ΔݖརΛ Chromeଆ͕อ࣋ʹϒϥοΫϦετΛ͍࣋ͬͯΔ
  31. 3.6 CA ʮݱࡏͷΠϯλʔωοτʹ͓͚ΔτϥετϞσϧͰ࠷΋ॏཁͳ໾ ׂΛՌͨ͢ͷ͕CAʯɻ ͍͢͝ݴΘΕΑ͏͕ͩɺύϒϦοΫCAʹͳΔͨΊʹ͸ɿ • 1b. ͖ΘΊͯػහͳϧʔτCAূ໌ॻͱɺԼҐCAূ໌ॻͷ伴Λ๷ ޚͭͭ͠ɺ঎ۀతӡ༻͕Մೳͳڧݻ͔ͭ҆શͰ۠ըԽ͞Εͨω οτϫʔΫΛઃܭ͢Δ͜ͱ

    • 1f. άϩʔόϧͳCRL͓ΑͼOCSPͷج൫Λ༻ҙ͢Δ͜ͱ ͋ͨΓ͕Ͱ͖Δͱ͜Ζ͕·ͣݶΒΕͯ·͢Ͷ…
  32. 3.7 ূ໌ॻͷϥΠϑαΠΫϧ • ূ໌ॻॴ༗ऀ͕CSR(Certificate Signing Request)Λ༻ҙɺͦΕΛ͍ ͣΕ͔ͷCAʹૹ৴ • CSR: ؔ࿈͢Δެ։伴Λ֨ೲɺରԠ͢Δൿີ伴Λ͍࣋ͬͯΔ͜

    ͱΛॺ໊Λར༻ͯࣔ͢͠ • CA͕ূ໌ॻͷݕূΛߦ͏ • ূ໌ॻΛൃߦɻϧʔτCAূ໌ॻʹͨͲΓண͘ͷʹඞཁͳதؒCA ূ໌ॻ΋ൃߦɻ • ظݶ੾Ε·Ͱ࢖͑Δɻظݶ͕੾ΕͨΒҰ͔Β΍Γ௚͢ɻ
  33. 3.7 ূ໌ॻͷϥΠϑαΠΫϧ • DVূ໌ॻ(Domain Validation) • υϝΠϯͷॴ༗ͷΈΛ֬ೝ͢Δɻ • OVূ໌ॻ(Organization Validation)

    • ૊৫ͷ࣮ࡏੑɾຊਓੑূ໌͕ೖΔɻ • EVূ໌ॻ(Extended Validation) • OVূ໌ॻͷݕূΛΑΓݫ֨ʹͨ͠΋ͷɻURLόʔʹاۀ໊͕ ग़ͯ͘Δɻ
  34. 3.8 ࣦޮ CRL(Certificate Revocation List) ظݶ੾Εʹͳ͍ͬͯͳ͍͕ࣦޮͨ͠ূ໌ॻͷγϦΞϧ൪߸Λྻڍ ͨ͠΋ͷɻ ೉఺ͱͯ͠͸ංେԽͯ͠ݕࡧ͢Δͷ͕େมɻ

  35. 3.8 ࣦޮ OCSP(Online Certificate Status Protocol) ୯Ұͷূ໌ॻͷࣦޮঢ়ଶΛূ໌ॻར༻ऀ͕औಘͰ͖ΔΑ͏ʹ͢Δ ࢓૊ΈɻOCSPαʔόͷ͜ͱΛOCSPϨεϙϯμͱݺͿɻOCSPϨε ϙϯμͷҐஔ͸Authority Information

    Access֦ுʹॻ͔ΕΔɻ ύϑΥʔϚϯεͷ໰୊: ຖճ໰͍߹ΘͤΔͱϨΠςϯγ͠ΜͲ͍ɻ ϓϥΠόγʔͷ໰୊: OCSPϨεϙϯμ΁ͷ௨৴ݟͨΒͲͷূ໌ॻ࢖ ͓͏ͱͯ͠Δ͔Θ͔ͬͪΌ͏ɻ →OCSPεςʔϓϦϯάͰղܾΛ໨ࢦ͢ɻ
  36. 3.9 ऑ఺ ·ͣΤίγεςϜࣗମͷऑ఺ͱͯ͠ɺCAͱϒϥ΢βϕϯμʔͱ͍ ͏Ӧརஂମʹґଘ͍ͯ͠Δͱ͍͏໰୊͕͋ΔɻӦརஂମͰ͋ΔҎ ্ηΩϡϦςΟ͸࠷༏ઌࣄ߲Ͱ͸ͳ͍ʢҟ࿦͸͋Δ͕ʣ

  37. 3.9 ऑ఺ ূ໌ॻͷൃߦʹࡍͯ͠υϝΠϯॴ༗ऀͷڐՄ͕ٻ ΊΒΕͳ͍ CA͸ڐՄͳ͘ͲΜͳυϝΠϯͷূ໌ॻͰ΋ൃߦͰ͖Δɻʹٕज़త ʹCAͷखൈ͖΍աࣦ͔Β਎ΛकΔखஈ͕ͳ͍ɻ ৴པΛਝ଎ʹ෮چͰ͖ͳ͍ ʹಛఆͷূ໌ॻʹ͍ͭͯɺall-or-nothingͰ৴པ͢Δ͔͠ͳ͍͔ͷ બ୒ࢶ͔͠ͳ͍ɻ

  38. 3.9 ऑ఺ υϝΠϯͷݕূ͕ऑ͍ WHOISϓϩτίϧͰऔಘͰ͖ΔυϝΠϯ໊ͷॴ༗ऀ৘ใʹ΋ͱͮ ͍ͯൃߦ͞ΕΔ ʢͱ͍͏͚Ͳɺ͜ͷ΁Μ࠷ۙLet's EncryptͰWHOIS৘ใͱҧ͏ϝʔ ϧΞυϨεͰ͋ΔυϝΠϯͷূ໌ॻΛऔಘͨ͠ͷͰɺDVূ໌ॻͷ ݕূϓϩτίϧ͸ACMEͰएׯख͕ೖͬͨͱࢥΘΕΔʣ

  39. 3.9 ऑ఺ ࣦޮ͕͏·͍͔͘ͳ͍ CAͷ໰୊ʹରͯ͠ϒϥοΫϦετͰհೖ͢Δ͔͠ͳ͔ͬͨɻ • Baseline Requirementsʹ͓͍ͯCRL/OCSPͷ৘ใ͸10೔ؒ·Ͱ͸ ༗ޮͳ··ʹ͢Δ͜ͱ͕ڐ͞Ε͍ͯΔ • ݱߦͷ͢΂ͯͷϒϥ΢βͰʮࣦޮ৘ใͷऔಘʹࣦഊͯ͠΋શମ

    ͱͯ͠͸fail͠ͳ͍ʯʹsoft fail͕औΒΕ͍ͯΔ
  40. 3.9 ऑ఺ ূ໌ॻͷܯࠂ͕ηΩϡϦςΟͷҙਤΛ୆ແ͠ʹ͢ Δ ϒϥ΢βͷܯࠂΈΜͳແࢹ͢ΔΑͶɺͱ͍͏͔ແࢹ͠Ζͱݴͬͯ ΔαΠτ͋ΔΑͶ… ͜͜ʹ͍ΔΈͳ͞Μ͸େৎ෉ͩͱࢥ͍·͕͢ɺཔΉ͔ΒDVূ໌ॻ ͢ΒऔΒͳ͍ͰެతαʔϏεӡ༻ͯ͠Δۀऀ͸ഇۀͯ͠Ͳ͏ͧɺ ಛʹ͓ۚབྷΉͳΒEVऔͬͯ

  41. 3.10 ϧʔτCAূ໌ॻͷ伴ͷةຆԽ ࠷΋࣮֬ʹ͸ϧʔτCAͷ伴߈ܸ͢Ε͹͍͍ΑͶʂ • ੓෎ݖݶͰൿີ伴Λఏڙ͢ΔΑ͏ཁٻ͢Δ • ৽نʹCAΛઃஔͯ͠τϥετετΞʹϧʔτCAূ໌ॻΛೖΕΔ • 1024Ϗοτͷ伴Ͱ͋Ε͹2003೥࣌఺Ͱ1000ສถυϧͷϚγϯ ͕͋Ε͹1೥ͰഁΕΔͱͷݟੵ΋Γɻ2013೥ʹ͸100ສถυϧʹ

    Ҿ͖Լ͛ɻ1024Ϗοτ伴Λ࢖͏ͷΛ΍ΊΑ͏ʂ → 2015೥10݄ ʹશϧʔτCAূ໌ॻ͸2048ϏοτҎ্ʹҠߦ
  42. 3.11 ΤίγεςϜͷ؍ଌ Internet SSL Survey 2010, The EFF SSL Observatory

    ͳͲɺPKIΤίγ εςϜͷεΩϟχϯάɾϞχλϦϯάʹؔ͢Δ࿩ɻ ஌ΒΕͯͳ͔ͬͨࣄ࣮ͱͯ͠ɺCA͕ϓϥΠϕʔτIPΞυϨε޲͚ͷ ূ໌ॻ΍׬શम০Ͱͳ͍υϝΠϯ໊޲͚ͷূ໌ॻΛൃߦ͍ͯͨ͠ ࣄ࣮ͳͲ͕Θ͔ͬͨɻ
  43. 3.12 վળ Perspectives ʮTLSͷೝূΛิॿ͢Δಠཱͨ͠ެূਓʯ ΫϥΠΞϯτ͸୯ಠͰ͸ূ໌ॻͷೝূΛܾΊΒΕͳ͍ Convergence Perspectivesͷ֦ுɻެূਓ΁ͷϦΫΤετʹෳ਺ͷϓϩΩγαʔ όΛհࡏͤ͞Δɻʢ͋·ΓΞΫςΟϒͰͳ͍ʣ

  44. 3.12 վળ ެ։伴ϐϯχϯά αΠτͷॴ༗ऀ͕৴པͰ͖ΔCAΛબ୒Ͱ͖Δɻ ChromeͰ͸ಠ࣮ࣗ૷ɺHPKP͕RFC 7469ͱͯ͠ඪ४Խɻ DANE DNSSECͱTLSೝূͷڮ౉͠Λ͢Δ໾໨ɻ DNSSEC: DNSκʔϯ΁ͷॺ໊ʹ࢖͏伴ΛυϝΠϯ໊ʹؔ࿈͚ͮΔ

  45. 3.12 վળ ιϒϦϯ伴 ௥ՃͷηΩϡϦςΟอূΛಋೖɻެతʹݕূՄೳͳϩάʹه࿥͞ ΕΔ伴Λ࢖ͬͯυϝΠϯ໊Λओு͢ΔɻιϒϦϯ伴Λࣦͬͯ͠· ͬͨΒճ෮͢Δखஈ͕ͳ͍ɻ·ͩΞΠσΞϨϕϧɻ MECAI(Mutually Endorsing CA Infrastructure)

    ެূਓΛ࢖͏ํ๏Ͱɺͦͷج൫ΛCA͕ӡ༻͢ΔɻΞΠσΞϨϕ ϧɻ
  46. 3.12 վળ CT(Certificate Transparency) ূ໌ॻͷ؂ࠪͱϞχλϦϯάͷͨΊͷϑϨʔϜϫʔΫɻCA͸ൃߦ ͢Δূ໌ॻΛެ։ͷϩάʹૹΓɺૹͬͨ͜ͱͷ҉߸ֶతͳূ໌Λ खʹೖΕΔɻChromeͰ͸EVূ໌ॻ͸CTରԠ͕ཁٻ͞Ε͍ͯΔɻ TACK(Trust Assurances for

    Certificate Keys) αʔό͕ఏڙͨ͠ॺ໊伴ΛϐϯཹΊ͢ΔɻCAͷΠϯϑϥʹґଘ͠ ͳͯ͘ࡁΉΑ͏ʹͳΔɻެࣜʹαϙʔτ͢ΔΫϥΠΞϯτ͸·ͩ