CN102026161A - System and method for validity verification of certificate in mobile backhaul net - Google Patents
System and method for validity verification of certificate in mobile backhaul net Download PDFInfo
- Publication number
- CN102026161A CN102026161A CN2009101714949A CN200910171494A CN102026161A CN 102026161 A CN102026161 A CN 102026161A CN 2009101714949 A CN2009101714949 A CN 2009101714949A CN 200910171494 A CN200910171494 A CN 200910171494A CN 102026161 A CN102026161 A CN 102026161A
- Authority
- CN
- China
- Prior art keywords
- ocsp
- certificate
- responsor
- range
- long
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides system and method for validity verification of a certificate in a mobile backhaul net. The method comprises the following steps of: when the validity of a domain certificate is verified, the client side of an online certificate status protocol (OCSP) sends an OCSP search request to an OCSP responser, and a request certificate table is carried; after the OCSP responser receives the OCSP search request, a certificate library is requested to verify the validity of the certificate in the request certificate table, and the certificate library searches the validity of the certificate in the request certificate table and transmits the search results of the validity of the certificate to the OCSP client side by the OCSP responser. The invention can efficiently verify the validity of the certificate in the mobile backhaul net in real time.
Description
Technical field
The present invention relates to communication technical field, specially refer to a kind of system and method for mobile backhaul network certificate validity checking.
Background technology
The safety problem of mobile backhaul network receives increasing concern.Tissues such as 3GPP, BBF and NGMN have carried out comparatively deep analysis to the demand for security of mobile backhaul network, and certificate management is the basis of mobile backhaul network security mechanism.
Propose among the 3GPP TS 33.401 based on the mobile backhaul network safety of NDS (Network Domain Security) mechanism protection, TS 33.310 related specifications are obeyed in the management of NDS certificate.Yet TS 33.310 works out at network domains certificate management demand, and not exclusively is fit to mobile backhaul network certificate validity checking demand, therefore need the certificate validity authentication mechanism in the standard be strengthened.
The validation verification of TS 33.310 certificates is mainly realized based on CRL.CRL among the TS 33.310 is divided three classes: the inner CRL of Local CRL, Public CRL and operator, by the visit to these CRL storehouses, realize the checking to certificate validity.The access method in CRL storehouse, 33.310 pairs of NDS territories of TS is illustrated, and SEGs uses LDAP visit CRL storehouse, and NEs is by LDAP or HTTP visit CRL storehouse.
There is certain defective in CRL mechanism, is not suitable for some scene.The subject matter of CRL is: the scale of (1) CRL, the size of CRL is directly proportional with the probability of CA territory end entity number, certificate life cycle and certificate revocation.And revocation information must exist in the whole life of issuing certificate, and this may cause the CRL scale very big.The CRL scale is excessive, has also increased the periodically offered load of CRL request.(2) real-time of the contained revocation information of CRL.CRL regularly publishes, and the arrival of cancelling request is at random, so can not guarantee the real-time and the accuracy of certificate revocation information.In sum, obtain certificate status information in real time, and only need the application scenarios of single certificate status information, be not suitable for using CRL mechanism for needs.
In order to remedy big, the non real-time problem of CRL expense, PKIX working group has proposed online certificate status protocol in RFC2560 (Online Certificate Status Protocol, OCSP), OCSP can realize the online certificate status checking.Other state information that the OCSP responsor can also provide the CRL mode not provide is as some extend informations.Compare with CRL, the OCSP agreement has the following advantages:
(1) OCSP can provide fresh, instant certificate status information, has remedied the deficiency of CRL, has avoided distributing the inconvenience that extensive CRL brings;
(2) mode of operation of OCSP is typical Client, makes OCSP can support more user;
(3) the OCSP response is littler than sending whole C RL, can take the minimum network bandwidth, conserve network bandwidth;
(4) compare with the CRL that regularly publishes, OCSP can provide better anonymity, because the requestor must be to the specific certificate status information of filing a request, rather than removes to obtain whole certificate revocation list simply;
(5) the OCSP requests/response messages can be propagated on the TCP/IP network, and can transmit requests/response messages based on multiple transmission mechanism, as HTTP, and SMTP, LDAP etc.;
(6) because the OCSP responsor carries out digital signature to the response of determining, therefore, if the information of terminal use's encumbrance word signature, information such as time that the OCSP request is sent and effective OCSP response, these information just can become the voucher of the non repudiation of historical trading, and this compares simple many with the CRL mode.
For mobile backhaul network, exist some scenes to inquire about to the validity of single certificate.For example H (e) NB is to the inquiry of SEG certificate validity, and eNB resets and causes that SEG need inquire about the eNB certificate validity that equipment vendor signs and issues etc.And still do not have scheme in the prior art about the checking of mobile backhaul network certificate validity.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of system and method for mobile backhaul network certificate validity checking how in real time, efficiently, solved the problem of verifying certificate validity in the mobile backhaul network.
In order to address the above problem, the invention provides a kind of method of mobile backhaul network certificate validity checking, be applicable to checking to certificate validity in the territory, described method comprises:
Online certificate status protocol (OCSP) client sends the OCSP query requests to the OCSP responsor, wherein carry the request certificate table, the OCSP responsor asks certificate repository to verify the validity of the certificate in the described request certificate table after receiving described OCSP query requests, described certificate repository is inquired about the validity of the certificate in the described request certificate table, and the certificate validity result for retrieval is forwarded to the OCSP client through described OCSP responsor.
Further, described OCSP query requests also comprises OCSP protocol version and requestor's name.
Further, the validity of described OCSP responsor request certificate repository checking network element certificate is meant that the OCSP responsor sends the certificate retrieval request message to certificate repository, wherein carries the request certificate table;
The described request certificate table comprises the certificate of one or more network elements that the OCSP client will be verified.
The present invention also provides a kind of method of mobile backhaul network certificate validity checking, is applicable to the checking to certificate validity between the territory, and described method comprises:
Online certificate status protocol (OCSP) client sends the OCSP query requests to local OCSP responsor, wherein carry the domain-name information and the request certificate table of long-range OCSP responsor, described local OCSP responsor is received the IP address that goes out long-range OCSP responsor after the described OCSP query requests according to the dns query message of described long-range OCSP responsor, send the OCSP query requests to described long-range OCSP responsor afterwards, wherein carry the request certificate table;
The validity of the certificate in the long-range certificate repository checking of the described long-range OCSP responsor request described request certificate table, described long-range certificate repository is inquired about the validity of the certificate in the described request certificate table, and the certificate validity result for retrieval is forwarded to the OCSP client through described long-range OCSP responsor and local OCSP responsor.
Further, described local OCSP responsor receives after the described OCSP query requests that the IP address that the dns query message according to described long-range OCSP responsor goes out long-range OCSP responsor is meant,
Local OCSP responsor obtains the domain-name information of the long-range OCSP responsor in the described OCSP query requests, send the domain name resolution server request to domain name resolution server, carry the domain-name information of long-range OCSP responsor, the domain name resolution server goes out the IP address of long-range OCSP responsor according to the dns query message of described long-range OCSP responsor, return domain name resolution server response, the IP address of wherein carrying described long-range OCSP responsor to described local OCSP responsor afterwards.
Further, the domain-name information of described long-range OCSP responsor carries by the positioning service device field of OCSP query requests.
The present invention also provides a kind of system of mobile backhaul network certificate validity checking, is applicable to the checking to certificate validity in the territory, and described system comprises line certificate status protocol (OCSP) client, OCSP responsor and certificate repository;
Described OCSP client is used for sending the OCSP query requests to described OCSP responsor, wherein carries the request certificate table;
Described OCSP responsor asks certificate repository to verify the validity of the certificate of described request certificate table after being used for receiving described OCSP query requests, and the certificate validity result for retrieval that receives is sent to described OCSP client;
Described certificate repository is used for the validity according to the certificate of described request certificate table inquiry described request certificate table, and the certificate validity result for retrieval is sent to described OCSP responsor.
Further, described OCSP query requests also comprises OCSP protocol version and requestor's name;
The described request certificate table comprises the certificate of one or more network elements that the OCSP client will be verified.
The present invention also provides a kind of system of mobile backhaul network certificate validity checking, is applicable to the checking to certificate validity between the territory, comprises line certificate status protocol (OCSP) client, local OCSP responsor, long-range OCSP responsor and long-range certificate repository;
Described OCSP client is used for sending the OCSP query requests to described local OCSP responsor, wherein carries the domain-name information of request certificate table and long-range OCSP responsor;
Described local OCSP responsor, be used to receive the IP address that goes out long-range OCSP responsor after the described OCSP query requests according to the dns query message of described long-range OCSP responsor, and, wherein carry the request certificate table to described long-range OCSP responsor transmission OCSP query requests; The certificate validity result for retrieval that also is used for receiving is sent to described OCSP client;
Described long-range OCSP responsor is used for receiving the validity of the certificate of the described long-range certificate repository checking described request certificate table of request after the described OCSP query requests, and the certificate validity result for retrieval that receives is sent to described local OCSP responsor;
Described long-range certificate repository is used for the validity according to the certificate of described request certificate table inquiry described request certificate table, and the certificate validity result for retrieval is sent to described long-range OCSP responsor.
Further, described system also comprises domain name resolution server;
Described local OCSP responsor receives after the described OCSP query requests that the IP address that the dns query message according to wherein long-range OCSP responsor goes out long-range OCSP responsor is meant,
Local OCSP responsor obtains the domain-name information of the long-range OCSP responsor in the described OCSP query requests, sends the domain name resolution server request to domain name resolution server, carries the domain-name information of long-range OCSP responsor;
The domain name resolution server is used for going out according to the dns query message of described long-range OCSP responsor the IP address of long-range OCSP responsor, return domain name resolution server response, the IP address of wherein carrying described long-range OCSP responsor to described local OCSP responsor afterwards.
Further, described local OCSP responsor carries the domain-name information of described long-range OCSP responsor by the positioning service device field of OCSP query requests.
In sum, the invention provides a kind of system and method for mobile backhaul network certificate validity checking, can realize in real time, verify efficiently the validity of certificate in the mobile backhaul network.
Description of drawings
Fig. 1 verifies schematic diagram in the certificate validity territory based on OCSP;
Fig. 2 verifies schematic diagram between the certificate validity territory based on OCSP;
OCSP inquiry schematic diagram in Fig. 3 eNB/H (e) NB territory;
OCSP inquiry schematic diagram in Fig. 4 SEG/MME territory;
OCSP inquiry schematic diagram between Fig. 5 SEG/MME territory.
Embodiment
The invention provides a kind of system and method for mobile backhaul network certificate validity checking, solved the problem of verifying certificate validity in the mobile backhaul network how in real time, efficiently.
System embodiment
Embodiment one
The system of a kind of mobile backhaul network certificate validity checking of present embodiment is applicable to the checking to certificate validity in the territory, and this system comprises line certificate status protocol (OCSP) client, OCSP responsor and certificate repository;
The OCSP client is used for sending the OCSP query requests to the OCSP responsor, wherein carries the request certificate table;
The OCSP responsor asks the certificate repository checking to ask the validity of the certificate of certificate table after being used for receiving the OCSP query requests, and the certificate validity result for retrieval that receives is sent to the OCSP client;
Certificate repository is used for the validity according to the certificate of request certificate table query requests certificate table, and returns the certificate retrieval response message to the OCSP responsor, wherein carries the certificate validity result for retrieval.
The OCSP query requests also comprises OCSP protocol version and requestor's name;
The request certificate table comprises the certificate of one or more network elements that the OCSP client will be verified.
Embodiment two
The system of a kind of mobile backhaul network certificate validity checking of present embodiment, be applicable to checking, comprise line certificate status protocol (OCSP) client, local OCSP responsor, long-range OCSP responsor, DNS (domain name resolution server) and long-range certificate repository certificate validity between the territory;
The OCSP client is used for sending the OCSP query requests to local OCSP responsor, wherein carries the domain-name information of request certificate table and long-range OCSP responsor;
Local OCSP responsor is used to receive the IP address that goes out long-range OCSP responsor after the OCSP query requests according to the dns query message of long-range OCSP responsor, and sends the OCSP query requests to long-range OCSP responsor, wherein carries the request certificate table; The certificate validity result for retrieval that also is used for receiving is sent to the OCSP client;
Long-range OCSP responsor is used for receiving the validity of the certificate of the long-range certificate repository checking of request request certificate table after the OCSP query requests, and the certificate validity result for retrieval that receives is sent to local OCSP responsor;
Long-range certificate repository is used for the validity according to the certificate of request certificate table query requests certificate table, and returns the certificate retrieval response message to long-range OCSP responsor, wherein carries the certificate validity result for retrieval.
Local OCSP responsor receives after the OCSP query requests that the IP address that the dns query message according to wherein long-range OCSP responsor goes out long-range OCSP responsor is meant, local OCSP responsor obtains the domain-name information of the long-range OCSP responsor in the OCSP query requests, send the DNS request to DNS, carry the domain-name information of long-range OCSP responsor;
DNS is used for going out according to the dns query message of long-range OCSP responsor the IP address of long-range OCSP responsor, returns local dns response, the IP address of wherein carrying long-range OCSP responsor to local OCSP responsor afterwards.
Local OCSP responsor carries the domain-name information of long-range OCSP responsor by the positioning service device field of OCSP query requests.
Method embodiment
Embodiment one
Present embodiment provides a kind of method of mobile backhaul network certificate validity checking, is applicable to certificate validation verification in the territory, idiographic flow as shown in Figure 1:
Step 101:OCSP client sends the OCSP query requests to the OCSP responsor;
The OCSP query requests comprises OCSP protocol version (version), requestor's name (requestorName), request certificate table (request List), requestor's name is the title of OCSP client herein, and the request certificate table comprises the certificate of one or more network elements that the OCSP client will verify.
After step 102:OCSP responsor receives the OCSP query requests, send the certificate retrieval request message, wherein carry the request certificate table, with the validity of the certificate in the query requests certificate table to certificate repository;
Step 103: certificate repository is received the certificate retrieval request message, according to the validity of wherein request certificate table inquiry certificate, and returns the certificate retrieval response message to the OCSP responsor, wherein carries the certificate validity result for retrieval; Result for retrieval can be good, revoked or unknown.
Step 104:OCSP responsor generates the OCSP response message based on the certificate validity result for retrieval that receives, and is back to the OCSP client, and this OCSP response message comprises the result for retrieval of certificate.
Embodiment two
Present embodiment provides a kind of method of mobile backhaul network certificate validity checking, is applicable to certificate validity checking between the territory, idiographic flow as shown in Figure 2:
Step 201:OCSP client sends the OCSP query requests to the OCSP responsor, when generating the OCSP query requests, the OCSP client will ask the domain-name information of long-range OCSP responsor that certificate is verified to be filled into service locator (positioning service device) field of OCSP query requests;
The OCSP query requests comprises OCSP protocol version (version), requestor's name (requestorName), request certificate table (request List) and service Locator field; Requestor's name is the title of OCSP client herein, and the request certificate table comprises the certificate of one or more network elements that the OCSP client will verify.
Step 202: after local OCSP responsor receives the OCSP request, resolve service locator field, and to DNS (domain name resolution server) server transmission DNS request, wherein carry the domain-name information of the long-range OCSP responsor that comprises in the servicelocator field, inquire about the IP address of long-range OCSP responsor correspondence;
Step 203:DNS server goes out the IP address of this long-range OCSP responsor according to the dns query message of long-range OCSP responsor, returns DNS to local OCSP responsor afterwards and replys, and wherein carries the IP address of long-range OCSP responsor;
Step 204: local OCSP responsor generates the OCSP query requests, sends to long-range OCSP response server;
The OCSP query requests comprises OCSP protocol version (version), requestor's name (requestor Name), request certificate table (request List), requestor's file-name field is replaced with the title of local responsor herein.
Step 205: after long-range OCSP responsor receives query requests, send the certificate retrieval request message, wherein carry the request certificate table, with the validity of the certificate in the query requests certificate table to certificate repository;
Step 206: certificate repository is received the certificate retrieval request message, inquire about the validity of certificate according to request certificate table wherein, and return the certificate retrieval response message to long-range OCSP responsor, and wherein carrying the certificate validity result for retrieval, result for retrieval can be good, revoked or unknown.
Step 207: long-range OCSP response server generates the OCSP response message based on the certificate validity result for retrieval that receives, and is sent to local OCSP responsor, and this OCSP response message comprises the result for retrieval of certificate.
Step 208: the OCSP response message card that local OCSP responsor just receives is forwarded to the OCSP client.
Below further specify the present invention by several examples of application
Application example one
Be OCSP inquiry schematic diagram in eNB/H (e) the NB territory as shown in Figure 3, in this scene, eNB or H (e) NB need verify the certificate validity of certain network element in the same territory, and this territory can be security domain or belong to all territories of same manager.Be deployed with the OCSP client among eNB or H (e) NB.
Step 301: when eNB or H (e) NB need verify the certificate validity of certain or some network elements, its OCSP client sends the OCSP query requests to the OCSP responsor, and this OCSP query requests comprises OCSP protocol version (version), requestor's name (requestor Name), request certificate table (request List).
After step 302:OCSP responsor receives the OCSP query requests, send the certificate retrieval request message, wherein carry the request certificate table, retrieve local RA/CA certificate repository to certificate repository.
Step 303: local RA/CA certificate repository returns the certificate retrieval response message, wherein carries the certificate validity result for retrieval and gives the OCSP responsor.
Step 304:OCSP response server generates the OCSP response message based on the certificate validity result for retrieval that receives, and returns to eNB or H (e) NB.
Application example two
Be OCSP inquiry schematic diagram in the SEG/MME territory as shown in Figure 4, in this scene, SEG or MME need verify the validity of certain network element certificate in the same territory, and this territory can be security domain or belong to all territories of same manager.SEG and MME are deployed with the OCSP client.
Step 401: when SEG or MME need verify the validity of certain or some network element certificates, its OCSP client sent the OCSP query requests to the OCSP responsor.
After step 402:OCSP responsor receives query requests, send the certificate retrieval request message, retrieve local RA/CA certificate repository to certificate repository.
Step 403: local RA/CA certificate repository returns the certificate retrieval response message, wherein carries the certificate validity result for retrieval and gives the OCSP responsor.
Step 404:OCSP response server generates the OCSP response message based on the certificate validity result for retrieval that receives, and returns to SEG or MME.
Application example three
Be OCSP inquiry schematic diagram between the SEG/MME territory as shown in Figure 5, in this scene, SEG or MME need verify the validity of certain network element certificate, and the certificate response device of this network element need carry out cross-domain OCSP inquiry not in this territory.SEG and MME are deployed with the OCSP client.
Step 501: when SEG or MME need verify the validity of certain network element certificate, its OCSP client sends the OCSP query requests to the OCSP responsor, when generating the OCSP query requests, the OCSP client will need the long-range OCSP responsor domain-name information of authentication certificate to be filled into the service locator field of OCSP query requests.
Step 502: after local OCSP responsor receives the OCSP query requests, resolve service locator field, and send DNS message, wherein carry the domain-name information of long-range OCSP responsor, inquire about the IP address of long-range OCSP responsor correspondence to dns server;
Step 503:DNS server returns DNS and replys, and replys the IP address that comprises long-range OCSP response server.
Step 504: local OCSP responsor generates the OCSP query requests, sends to long-range OCSP response server;
This OCSP query requests comprises OCSP protocol version (version), requestor's name (requestor Name), request certificate table (request List), requestor's file-name field is replaced with the title of local responsor herein.
Step 505: after long-range OCSP responsor received query requests, the certificate repository in this territory sent the certificate retrieval request message, retrieval RA/CA certificate repository.
Step 506:RA/CA certificate repository returns the certificate retrieval response message, wherein carries the certificate validity result for retrieval and gives long-range OCSP responsor.
Step 507: long-range OCSP response server generates the OCSP response message based on the certificate validity result for retrieval that receives, and is sent to local OCSP responsor.
Step 508: local OCSP responsor is forwarded to the OCSP response message that receives the OCSP client of SEG or MME.
Claims (11)
1. the method for a mobile backhaul network certificate validity checking is applicable to that to the checking of certificate validity in the territory it is characterized in that, described method comprises:
Online certificate status protocol (OCSP) client sends the OCSP query requests to the OCSP responsor, wherein carry the request certificate table, the OCSP responsor asks certificate repository to verify the validity of the certificate in the described request certificate table after receiving described OCSP query requests, described certificate repository is inquired about the validity of the certificate in the described request certificate table, and the certificate validity result for retrieval is forwarded to the OCSP client through described OCSP responsor.
2. the method for claim 1 is characterized in that:
Described OCSP query requests also comprises OCSP protocol version and requestor's name.
3. the method for claim 1 is characterized in that:
The validity of described OCSP responsor request certificate repository checking network element certificate is meant that the OCSP responsor sends the certificate retrieval request message to certificate repository, wherein carries the request certificate table;
The described request certificate table comprises the certificate of one or more network elements that the OCSP client will be verified.
4. the method for a mobile backhaul network certificate validity checking is applicable to that to the checking of certificate validity between the territory it is characterized in that, described method comprises:
Online certificate status protocol (OCSP) client sends the OCSP query requests to local OCSP responsor, wherein carry the domain-name information and the request certificate table of long-range OCSP responsor, described local OCSP responsor is received the IP address that goes out long-range OCSP responsor after the described OCSP query requests according to the dns query message of described long-range OCSP responsor, send the OCSP query requests to described long-range OCSP responsor afterwards, wherein carry the request certificate table;
The validity of the certificate in the long-range certificate repository checking of the described long-range OCSP responsor request described request certificate table, described long-range certificate repository is inquired about the validity of the certificate in the described request certificate table, and the certificate validity result for retrieval is forwarded to the OCSP client through described long-range OCSP responsor and local OCSP responsor.
5. method as claimed in claim 4 is characterized in that:
Described local OCSP responsor receives after the described OCSP query requests that the IP address that the dns query message according to described long-range OCSP responsor goes out long-range OCSP responsor is meant,
Local OCSP responsor obtains the domain-name information of the long-range OCSP responsor in the described OCSP query requests, send the domain name resolution server request to domain name resolution server, carry the domain-name information of long-range OCSP responsor, the domain name resolution server goes out the IP address of long-range OCSP responsor according to the dns query message of described long-range OCSP responsor, return domain name resolution server response, the IP address of wherein carrying described long-range OCSP responsor to described local OCSP responsor afterwards.
6. method as claimed in claim 4 is characterized in that:
The domain-name information of described long-range OCSP responsor carries by the positioning service device field of OCSP query requests.
7. the system of a mobile backhaul network certificate validity checking is applicable to the checking to certificate validity in the territory, and described system comprises line certificate status protocol (OCSP) client, OCSP responsor and certificate repository; It is characterized in that:
Described OCSP client is used for sending the OCSP query requests to described OCSP responsor, wherein carries the request certificate table;
Described OCSP responsor asks certificate repository to verify the validity of the certificate of described request certificate table after being used for receiving described OCSP query requests, and the certificate validity result for retrieval that receives is sent to described OCSP client;
Described certificate repository is used for the validity according to the certificate of described request certificate table inquiry described request certificate table, and the certificate validity result for retrieval is sent to described OCSP responsor.
8. system as claimed in claim 7 is characterized in that:
Described OCSP query requests also comprises OCSP protocol version and requestor's name;
The described request certificate table comprises the certificate of one or more network elements that the OCSP client will be verified.
9. the system of a mobile backhaul network certificate validity checking is applicable to the checking to certificate validity between the territory, comprises line certificate status protocol (OCSP) client, local OCSP responsor, long-range OCSP responsor and long-range certificate repository; It is characterized in that:
Described OCSP client is used for sending the OCSP query requests to described local OCSP responsor, wherein carries the domain-name information of request certificate table and long-range OCSP responsor;
Described local OCSP responsor, be used to receive the IP address that goes out long-range OCSP responsor after the described OCSP query requests according to the dns query message of described long-range OCSP responsor, and, wherein carry the request certificate table to described long-range OCSP responsor transmission OCSP query requests; The certificate validity result for retrieval that also is used for receiving is sent to described OCSP client;
Described long-range OCSP responsor is used for receiving the validity of the certificate of the described long-range certificate repository checking described request certificate table of request after the described OCSP query requests, and the certificate validity result for retrieval that receives is sent to described local OCSP responsor;
Described long-range certificate repository is used for the validity according to the certificate of described request certificate table inquiry described request certificate table, and the certificate validity result for retrieval is sent to described long-range OCSP responsor.
10. system as claimed in claim 9 is characterized in that:
Described system also comprises domain name resolution server;
Described local OCSP responsor receives after the described OCSP query requests that the IP address that the dns query message according to wherein long-range OCSP responsor goes out long-range OCSP responsor is meant,
Local OCSP responsor obtains the domain-name information of the long-range OCSP responsor in the described OCSP query requests, sends the domain name resolution server request to domain name resolution server, carries the domain-name information of long-range OCSP responsor;
The domain name resolution server is used for going out according to the dns query message of described long-range OCSP responsor the IP address of long-range OCSP responsor, return domain name resolution server response, the IP address of wherein carrying described long-range OCSP responsor to described local OCSP responsor afterwards.
11. system as claimed in claim 9 is characterized in that:
Described local OCSP responsor carries the domain-name information of described long-range OCSP responsor by the positioning service device field of OCSP query requests.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910171494.9A CN102026161B (en) | 2009-09-21 | 2009-09-21 | System and method for validity verification of certificate in mobile backhaul net |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910171494.9A CN102026161B (en) | 2009-09-21 | 2009-09-21 | System and method for validity verification of certificate in mobile backhaul net |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102026161A true CN102026161A (en) | 2011-04-20 |
| CN102026161B CN102026161B (en) | 2014-11-05 |
Family
ID=43866885
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910171494.9A Expired - Fee Related CN102026161B (en) | 2009-09-21 | 2009-09-21 | System and method for validity verification of certificate in mobile backhaul net |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102026161B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786515A (en) * | 2016-08-29 | 2018-03-09 | 中国移动通信有限公司研究院 | A kind of method and apparatus of certificate verification |
| CN112994897A (en) * | 2021-03-22 | 2021-06-18 | 杭州迪普科技股份有限公司 | Certificate query method, device, equipment and computer readable storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2003218550A1 (en) * | 2002-03-20 | 2003-09-29 | Research In Motion Limited | System and method for checking digital certificate status |
| US7318155B2 (en) * | 2002-12-06 | 2008-01-08 | International Business Machines Corporation | Method and system for configuring highly available online certificate status protocol responders |
| CN100337175C (en) * | 2005-08-12 | 2007-09-12 | 华为技术有限公司 | Method and system of adding region and obtaining authority object of mobile terminal |
-
2009
- 2009-09-21 CN CN200910171494.9A patent/CN102026161B/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786515A (en) * | 2016-08-29 | 2018-03-09 | 中国移动通信有限公司研究院 | A kind of method and apparatus of certificate verification |
| CN107786515B (en) * | 2016-08-29 | 2020-04-21 | 中国移动通信有限公司研究院 | Certificate authentication method and equipment |
| CN112994897A (en) * | 2021-03-22 | 2021-06-18 | 杭州迪普科技股份有限公司 | Certificate query method, device, equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102026161B (en) | 2014-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Santesson et al. | X. 509 internet public key infrastructure online certificate status protocol-OCSP | |
| US7010578B1 (en) | Internet content delivery service with third party cache interface support | |
| US8353007B2 (en) | Systems and methods for identifying a network | |
| US7457848B2 (en) | Over-network resource distribution system and mutual authentication system | |
| EP3602977B1 (en) | Heat consumption estimation | |
| KR20120005364A (en) | Electronic address, and eletronic document distribution system | |
| CN100444545C (en) | Use of a public key pair in terminal equipment for authentication and authorization of telecommunication user with network operator and business partner | |
| CN101399724B (en) | Disposal authentication method for network access and service application oriented to user | |
| US20080294891A1 (en) | Method for Authenticating a Mobile Node in a Communication Network | |
| US9107072B2 (en) | Seamless mobile subscriber identification | |
| US20100154040A1 (en) | Method, apparatus and system for distributed delegation and verification | |
| US20160373431A1 (en) | Method to enroll a certificate to a device using scep and respective management application | |
| CN104052736A (en) | Systems and methods for pre-signing of dnssec enabled zones into record sets | |
| CN102868709B (en) | A kind of certificate management method based on P2P and device thereof | |
| US20080150753A1 (en) | Secure Data Transfer In A Communication System Including Portable Meters | |
| CN104468859B (en) | Support the DANE expanding query method and systems of carrying address of service information | |
| US10979750B2 (en) | Methods and devices for checking the validity of a delegation of distribution of encrypted content | |
| CN101834864A (en) | Method and device for preventing attack in three-layer virtual private network | |
| CN108883711A (en) | passenger counting system | |
| Lu et al. | Open architecture for internet-based C-ITS services | |
| JP4987820B2 (en) | Authentication system, connection control device, authentication device, and transfer device | |
| EP1914960B1 (en) | Method for transmission of DHCP messages | |
| CN102026161B (en) | System and method for validity verification of certificate in mobile backhaul net | |
| CN115580498B (en) | Cross-network communication method in converged network and converged network system | |
| Malpani et al. | X. 509 Internet public key infrastructure online certificate status protocol-ocsp |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141105 Termination date: 20200921 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |