¤â¤¯¤¸
1. ¤Ï¤¸¤á¤Ë
2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê
3. HPKP¤Î»ÅÁȤß
4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡
¡¡4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡
¡¡4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò
¡¡4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡
¡¡4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¾Á°¤Î¥¤¥±¤Æ¤Ê¤µ
¡¡4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ
¡¡4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤
¡¡4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë
5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«
6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«
7. ¤ª¤ï¤ê¤Ë
8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯
9. Äɵ­
¡¡9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·
¡¡9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

1. ¤Ï¤¸¤á¤Ë

HPKP¤È¤ÏHTTP Public Key Pinning¤Îά¤Ç¡¢RFC 7469 Public Key Pinning Extension for HTTP¤Çµ¬Äꤵ¤ì¤Æ¤ª¤ê¡¢ ¥¦¥§¥Ö¥µ¥¤¥È¤Î¥ª¡¼¥Ê¡¼¤¬¡¢¥Ë¥»¤Î¥µ¥¤¥È¤Ç°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤Ê¤¤¤è¤¦¤ËÊݸ¤ë¤¿¤á¤Î»ÅÁȤߤǤ¹¡£

ÆüËܸì²òÀâ¤Ï¾¯¤Ê¤¤¤Ç¤¹¤¬¡¢·É°¦¤¹¤ë jovi0608¤µ¤ó¤Îµ­»ö¤äJxck¤µ¤ó¤Îµ­»ö¤Ê¤É¤Ç¤â²òÀ⤵¤ì¤Æ¤¤¤Þ¤¹¡£

»ä¤â3ǯ¤Á¤ç¤¤Á°¡¢IPA¤Î¥¬¥¤¥É¤ò½ñ¤¤¤Æ¤¤¤¿Á°¤¢¤¿¤ê¤«¤é¡¢HPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¡¢²¿¤«¥Ö¥í¥°Åù¤Ç½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤Î¤Ç¤¹¤¬¡¢¤Ê¤ó¤«Æüº¢¤Î¥Ø¥ó¤Ê¤³¤È¤ËË»»¦¤µ¤ì¤Æ¡¢¤³¤ì¤Þ¤Ç¤Þ¤È¤á¤Æ½ñ¤¯¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£(¤Ê¤ó¤«½ñ¤³¤¦¤È»×¤Ã¤Æ¤¿¤éjovi¤µ¤ó¤Î¤¬½Ð¤Á¤ã¤Ã¤Æ¡¢¤Þ¤¡¤¤¤¤¤«¤È»×¤Ã¤Á¤ã¤Ã¤¿¤Ã¤Æ¤¤¤¦¤Î¤â¤¢¤ê¤Þ¤¹w) IPA¤Î¥¬¥¤¥É¤Î»þ¤â½ñ¤«¤»¤Æ¤â¤é¤ª¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢¤Ê¤ó¤À¤«Âç¿Í¤Î»ö¾ð¤ÇÄɲ䵤»¤Æ¤â¤é¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£¤È¤Û¤Û¡£

º£²ó¤Ï¡¢HPKP¤È¤Ï²¿¤«¤È¤¤¤Ã¤¿´ðËÜŪ¤Ê¤³¤È¤Ï¡¢Â¾¤ÎÊý¤Î¥Ö¥í¥°¤Ë¾ù¤ë¤È¤·¤Æ¡¢HPKP¤Î¸½¾õ¤äHPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¥Õ¥©¡¼¥«¥¹¤·¤Æ½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£Ä¹¤¯¤Ê¤ê¤½¤¦¤Ç¤¹¤¬¡¢¤´¤á¤ó¤Ê¤µ¤¤¤Í¡£

·ëÏÀ¤«¤é¸À¤¨¤Ð¡¢ËÜÈÖ¥µ¥¤¥È¤Ç°Â°×¤ËHPKP¤ò»È¤¦¤Î¤Ï¤ä¤á¤¿Êý¤¬¤¤¤¤¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤½¤ì¤Ï¡¢HPKP¤Î»ÅÍͼ«ÂΤ¬±¿ÍѤò¤·¤Ã¤«¤ê¹Í¤¨¤ÆÀ߷פµ¤ì¤Æ¤ª¤é¤º¡¢°ìÈÌŪ¤Ê¥µ¥¤¥È¤Ç¤ÏÂ礷¤¿¥»¥­¥å¥ê¥Æ¥£¾å¤Î¸ú²Ì¤¬Ìµ¤¤³ä¤Ë¡¢Ä¹´ü¤Î±¿ÍѤǥµ¡¼¥Ó¥¹¤òÄ󶡤Ǥ­¤Ê¤¯¤Ê¤ë´ü´Ö¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤¬¹â¤¹¤®¤ë¤·¡¢¾ÚÌÀ½ñ¤Î¥³¥¹¥È¤â;·×¤Ë¤«¤«¤ë¤«¤é¤Ç¤¹¡£

¤ª¤½¤é¤¯¡¢HPKP¤Î±¿ÍѤˤĤ¤¤Æ¿¼¤¯Æͤùþ¤ó¤Ç¤«¤¤¤¿¡¢À¤³¦¤Ç¤Ï½é¤á¤Æ¤Î²òÀâ»ñÎÁ¤«¤Ê¤È»×¤¤¤Þ¤¹¡£¤´¾ÐǼ¤¯¤À¤µ¤¤w

2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê

2011ǯº¢¤«¤é¡¢Ç§¾Ú¶É¤òÂоݤˤ·¤¿¥µ¥¤¥Ð¡¼¹¶·â¤ä¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¤Ê¤É¤Ç¡¢¹¶·â¤ËÍøÍѤ·¤ä¤¹¤¤Google¤äFacebook¤È¤¤¤Ã¤¿Í­Ì¾¥µ¥¤¥È¸þ¤±¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ(*.google.comÅù)¤ò¼èÆÀ¤µ¤ì¤Æ¤·¤Þ¤¦¤È¤¤¤¦»ö·ï¤¬Áý¤¨¤Æ¤­¤Þ¤·¤¿¡£Google¤òÅܤ餻¤Á¤ã¤Ã¤¿¤Î¤Ï2011ǯ¤Î¥ª¥é¥ó¥À¤Îǧ¾Ú¶ÉDigiNotar¤¬ÉÔÀµ¿¯Æþ¤ò¼õ¤±¡¢*.google.com¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¡¢¥¤¥é¥ó¤Î¥×¥í¥Ð¥¤¥À¤ÎÅðÄ°¤ä¹¶·â¤Ë»È¤ï¤ì¤¿¤È¤¤¤¦»ö·ï¤¬¤¢¤ê¤Þ¤·¤¿¡£
hpkp-digi
¤³¤Î¤è¤¦¤Ê»ö·ï¤òËɤ°¤¿¤á¤Ë¤Ï¡¢¥¦¥§¥Ö¥µ¥¤¥È¤ËÂФ·¤Æ¡¢¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤¿¾ì¹ç¤Ë¡¢·Ù¹ð¤òȯ¤¹¤ë»ÅÁȤߤ¬É¬ÍפǤ¹¡£¤½¤³¤Ç³«È¯¤µ¤ì¤¿¤Î¤¬¡¢HPKP¤Ç¤¹¡£HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Î°ìÃפò³Îǧ¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤¿¾ÚÌÀ½ñ¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
hpkp-hpkp1
jovi¤µ¤ó¤Î¥Ö¥í¥°¤Î1¾Ï¤ÇÇطʤȻÅÁȤߤò¤ï¤«¤ê¤ä¤¹¤¯²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤Á¤é¤â¤´Í÷失¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

3. HPKP¤Î»ÅÁȤß

HPKP¤Î¼ÂÁõÊýË¡¤Ë¤Ï2¤Ä¤ÎÊýË¡¤¬¤¢¤ê¤Þ¤¹¡£

  • 1) Google¡¢Facebook¡¢Twitter¤Ê¤É¤Îͭ̾¥µ¥¤¥È¸þ¤±¤Î¡¢Chrome¡¢Firefox¤Ê¤É¥Ö¥é¥¦¥¶¤ËÁȤ߹þ¤Þ¤ì¤¿¥Ô¥ó¤Î¥ê¥¹¥È(Preloaded Known Pinned Host List)¤È¾È¹ç¤¹¤ëÊýË¡
  • 2) HTTPS¤ÇÄÌ¿®¤¹¤ëºÝ¤Ë¡¢¥µ¡¼¥Ð¡¼¤«¤é¥Ô¥ó¾ðÊó¤ÎHTTP¥Ø¥Ã¥À¤ò¼èÆÀ¤·¡¢¤½¤ì¤ò¥Ö¥é¥¦¥¶¤ËÊݴɤ·¤Æ¤ª¤­¡¢°Ê¹ß¤ÎÄÌ¿®¤Ç¾È¹ç¤Ë»È¤¦ÊýË¡
1) ¤ÎÊýË¡¤Ï¡¢¥Ö¥é¥¦¥¶¤òºÇ¿·¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Ê¤é¤Ð²¿¤âÀßÄꤷ¤Ê¤¯¤Æ¤â¡¢Í­Ì¾¤Ê¥µ¥¤¥È¤Ë¤Ä¤¤¤Æ¤ÏHPKP¤ò»È¤Ã¤Æ°ÂÁ´¤ËÀܳ¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£º£²ó¤Îµ­»ö¤ÇµÄÏÀ¤·¤¿¤¤¤Î¤Ï2)¤Î¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤¬ÀßÄꤹ¤ë¾ì¹ç¤Ë¤Ä¤¤¤Æ¤Ê¤Î¤Ç¡¢2)¤Î»ÅÁȤߤˤĤ¤¤ÆÀâÌÀ¤·¤Þ¤¹¡£
hpkp-sethead
¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËÉÔÀµ¤Ê¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ËÀܳ¤µ¤»¤Ê¤¤¤¿¤á¤ÎHPKP HTTP¥Ø¥Ã¥À¤òÀßÄꤹ¤ë¤Î¤Ç¤¹¤¬¡¢¤³¤ì¤Ï¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄê¤Ç»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¤«¤éSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Þ¤Ç¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¡£HTTP¥Ø¥Ã¥À¤È¤½¤ÎÃͤνñ¼°¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
Public-Key-Pins: \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤«¤ÎSHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤SHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡[pin-sha256="¤½¤Î¾¥Ï¥Ã¥·¥åÃÍ1"; ...; ] \ ¡¡¡¡max-age=¥Ö¥é¥¦¥¶¤Ë¤³¤ÎHPKP¥Ø¥Ã¥À¤¬Êݴɤµ¤ì¤ëÉÿô; \ ¡¡¡¡[includeSubDomain;] \¡¡¡¡¡¡¡¡¥µ¥Ö¥É¥á¥¤¥ó(example.com¤Ê¤ésub.example.com)¤âHPKP¤ÎÂоݤˤ¹¤ë¤« ¡¡¡¡[report-uri="JSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤¬POST¤µ¤ì¤ëURL"; ] [...]¤Ï¥ª¥×¥·¥ç¥ó
  • pin-sha256¤Ï¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¤¬¡¢¤½¤ÎÀßÄêÊýË¡¤ä¹Í»¡¤Ë¤Ä¤¤¤Æ¤Ï¸å¤Ç½Ò¤Ù¤Þ¤¹¡£
  • max-age¤ÎÊݸ´ü´Ö¤ÏRFC¤Î4.1Àá¤Ç¹Í»¡¤·¤Æ¤ª¤ê60Æü(=5184000ÉÃ)¤¬Îɤ¤¤Î¤Ç¤Ï¡©¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¹Í»¡¤â¸å¤Ç½Ò¤Ù¤µ¤»¤Æ²¼¤µ¤¤¡£
  • includeSubDmain¤Ï¡¢¥µ¥Ö¥É¥á¥¤¥ó¤Þ¤Ç´Þ¤á¤ë¤«¡¢Î㤨¤Ð example.com ¤ËHPKP¤òÀßÄꤷ¤¿¤é¡¢sub1.example.com¤â¡¢www1.sub2.example.com¤âHPKP¤ÎÂоݤˤ¹¤ë¤È¤¤¤¦¥Õ¥é¥°¤Ç¤¹¡£¸½»þÅÀ¤Ç»ý¤Ã¤Æ¤¤¤Ê¤¤¤Ê¤é°Â°×¤ËÀßÄꤷ¤Ê¤¤Êý¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£
  • HPKP¤Ï¡¢CSP¤Ê¤É¤ÈƱÍͤˤ˥֥饦¥¶Â¦¤Ç¸¡¾Ú¤¹¤ë¤Î¤Ç¡¢¥µ¡¼¥Ð¡¼Â¦¤Ë¤Ï¥¨¥é¡¼¸¶°ø¤¬ÇÄ°®¤Ç¤­¤ºº¤¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£report-uri¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÇHPKP¤Î¥¨¥é¡¼¤¬È¯À¸¤·¤¿ºÝ¤Ë¡¢»ØÄꤷ¤¿URL¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËJSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤òPOST¤¹¤ë¤³¤È¤ÇÁ÷¿®¤·¤Þ¤¹¤Î¤Ç¡¢ÀßÄê¾å¤ÎÌäÂê¤òÃΤë¤Î¤ËÌòΩ¤Ä¤«¤â¤·¤ì¤Þ¤»¤ó¡£Jxck¤µ¤ó¤Î¥Ö¥í¥°¤ÇÀßÄê¤ò»î¤·¤Æ¤ß¤¿¤È¤¤¤¦¾Ü¤·¤¤Êó¹ð¤¬¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¤´Í÷¤Ë¤Ê¤ë¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£¥Ö¥í¥°¤Ç¤â½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥ì¥Ý¡¼¥È¤¬½ÐÎϤµ¤ì¤ë¾ò·ï¤¬¤è¤¯¤ï¤«¤é¤º¡¢¥Ö¥é¥¦¥¶¤ä¥Ð¡¼¥¸¥ç¥ó¤Ë¤â°Í¸¤¹¤ë¤è¤¦¤Ç¡¢»ä¤â¥ì¥Ý¡¼¥ÈÀ¸À®¤¬¤¦¤Þ¤¯¤Ç¤­¤Æ¤¤¤Þ¤»¤ó¡£
¤Þ¤¿¡¢HTTP¥Ø¥Ã¥À¤Ë¤Ä¤¤¤Æ "Public-Key-Pins" ¤Ç¤Ï¤Ê¤¯¡¢"Public-Key-Pins-Report-Only" ¤ÈÀßÄꤹ¤ì¤Ð¡¢¥Ö¥é¥¦¥¶¤Ç¤Ï¥¨¥é¡¼¤òȯÀ¸¤µ¤»¤ë¤³¤È¤Ê¤¯¡¢¥¨¥é¡¼¥ì¥Ý¡¼¥È¤Î¼ý½¸¤Ï¤Ç¤­¤Þ¤¹¤Î¤Ç¡¢¥Æ¥¹¥È¤ÎºÝ¤Ë¤³¤ì¤ò»È¤¦¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£

4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡

pin-sha256°À­¤ò»È¤Ã¤Æ¥Ô¥ó¤òÀßÄꤹ¤ë¤³¤È¤Ë¤è¤ê¡¢¥µ¡¼¥Ð¡¼¥ª¡¼¥Ê¡¼¤¬°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤ë¤³¤È¤òËɤ°¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¥Ô¥ó¤ÎÃͤϡ¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¤Î²¿¤ì¤«¤Î¾ÚÌÀ½ñ¤Ë°ìÃפ¹¤ë¤â¤Î¤òºÇÄã°ì¤Ä¡¢ ¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤¤â¤Î¤òºÇÄã°ì¤Ä¤Î·×2¤Ä°Ê¾å¤Ë¤è¤ê¹½À®¤µ¤ì¤Þ¤¹¡£
hpkp-intersect

4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡

¤µ¤Æ¡¢°ìÈÖ´Êñ¤Ê¥Ï¥Ã¥·¥åÃͤμèÆÀÊýË¡¤Ç¤¹¤¬¡¢¤¹¤Ç¤Ë¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄ꤬´°Î»¤·¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢Scott Helme»á¤ÎHPKP¥Ï¥Ã¥·¥å¤Î½êÆÀ¥Ú¡¼¥¸¤òÍøÍѤ¹¤ë¤Î¤¬Îɤ¤¤Ç¤¹¡£¼«Ê¬¤Î¤Ç¤â¾¿Í¤Î¤Ç¤âHTTPS¥µ¥¤¥È¤ÎURL¤òÆþÎϤ¹¤ì¤Ð¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î³Æ¾ÚÌÀ½ñ¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤Þ¤¹¡£
index
SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤«¤é½ç¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Þ¤Ç¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤ¬

pin-sha256="hUIG87ch71EZQYhZBEkq2VKBLjhussUw7nR8wyuY7rY="
¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢¤É¤Î¥Ô¥ó¤ò»È¤¦¤Î¤«¤ò·è¤á¤ÆHTTP¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¤À¤±¤Ç¤¹¡£

°ì¤Ä¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤη׻»¤Ç¤¹¤¬¡¢¾ÚÌÀ½ñ¤«¤é¤Ç¤â¡¢¾ÚÌÀ½ñȯ¹ÔÍ×µá(CSR/PKCS#10)¤Ç¤â¡¢ ÈëÌ©¸°¤È¸°¥¢¥ë¥´¥ê¥º¥à¤Ë¤è¤Ã¤Æ¤Ï¸°¥Ñ¥é¥á¡¼¥¿¡¼¤«¤éÃê½Ð¤µ¤ì¤¿PKCS#8¸ø³«¸°¤«¤é¤Ç¤â¥Ï¥Ã¥·¥åÃͤò·×»»¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤¿¤À¡¢¤¤¤í¤ó¤Ê¿Í¤Î¥Ö¥í¥°¤Ç¤Ï¡¢¤ï¤¶¤ï¤¶CSR¤òºî¤Ã¤Æ¤«¤é¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢Æä˾ÚÌÀ½ñ¤Î¤Þ¤À̵¤¤¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¾ì¹ç¤Ë¤Ï¡¢ ¤½¤ó¤Ê¤³¤È¤ò¤·¤Ê¤¯¤È¤â¡¢¸ø³«¸°¤«¤é¥Ï¥Ã¥·¥å·×»»¤¹¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ Àè¤Û¤É¤ÈƱÍͤˡ¢Scott Helme»á¤Î¥Ä¡¼¥ë¤ÇPEM·Á¼°¤ÎPKCS#8¸ø³«¸°¡¢CSR¡¢X.509¾ÚÌÀ½ñ¤òÆþÎϤ¹¤ì¤Ð¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤ë¥Ú¡¼¥¸¤¬¤¢¤ë¤Î¤Ç¡¢¤³¤ì¤ò»È¤¦¤Î¤¬´Êñ¤Ç¤¹¡£

¼êºî¶È¤Ç¥Ô¥ó¤ò¼èÆÀ¤¹¤ë¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤ò¼Â»Ü¤¹¤ì¤Ð¸ø³«¸°¤ÎSHA256¥Ï¥Ã¥·¥å¤Ç¤¢¤ë¥Ô¥ó¤ÎÃͤ¬¼èÆÀ¤Ç¤­¤Þ¤¹¡£Â¾¤Î²òÀâµ­»ö¤Ç¤Ï¡¢base64¥³¥Þ¥ó¥É¤ò»È¤Ã¤¿¤ê¡¢CSR¤ò¤¤¤Á¤¤¤ÁÀ¸À®¤¹¤ë¤Î¤ò¶¯À©¤µ¤»¤¿¤ê¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¤³¤³¤Ç¾Ò²ð¤¹¤ëÊýË¡¤ÏOpenSSL¥³¥Þ¥ó¥É¤·¤«»È¤ï¤º¡¢¤¤¤í¤¤¤í¤Ê¥±¡¼¥¹¤ËÂбþ¤·¤Æ¡¢¥Ô¥ó¤Î¼èÆÀ¤¬¤Ç¤­¤ë¤è¤¦¤Ë¡¢Îã¤ò¼¨¤·¤Æ¤ª¤­¤Þ¤·¤¿¡£

X.509¾ÚÌÀ½ñ¤«¤ésubjectPublicKeyInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl x509 -in PEM¾ÚÌÀ½ñ -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= CSR¤«¤ésubjectPKInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl req -in PEMCSR¥Õ¥¡¥¤¥ë -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8ÈëÌ©¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -in PKCS#8ÈëÌ©¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8¸ø³«¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -pubin -in PKCS#8¸ø³«¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= ÆÀ¤é¤ì¤¿Ãͤò pin-sha256="te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU=" ¤Î¤è¤¦¤Ë¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¡£
Ãͤò¼èÆÀ¤·¤¿¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTP¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢Apache HTTP Server¤Î¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤ËÀßÄꤷ¤Þ¤¹¡£
<VirtualHost _default_:443> ... Header set Public-Key-Pins \ "pin-sha256=\"MRnxhYBVCMAxZHwalTJ7ZVl6P2005lll4ttWr+RN1Ro=\"; \ pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; \ max-age=2592000; \ report-uri=\"https://report.example.com\"" ... Æɤߤ䤹¤µ¤Î¤¿¤á¤Ë¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤È²þ¹Ô¤òÆþ¤ì¤Æ¤¤¤Þ¤¹¡£2592000ÉäÏ30Æü¤Ç¤¹¡£

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ò1¤Ä°Ê¾åÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ËÜÀá¤Ç¤Ï¡¢¼¡¤Î2¤Ä¤Ëʬ¤±¤Æ¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

  • 1) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¤É¤ì¤«°ì¤Ä¤Î¤ß¤òÁªÂò¤¹¤ë¾ì¹ç¤ÎÈæ³Ó¸¡Æ¤
  • 2) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î2¤Ä°Ê¾å¡¢¤Þ¤¿¤ÏÁ´Éô¤òÁªÂò¤¹¤ë¾ì¹ç¤Î¹Í»¡

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ç¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¤è¤¦¤Ê3ÃʤξÚÌÀ½ñ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ÉÔÀµ¤Ê°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤¿¤á¤Ë¡¢ ¤É¤ì¤«°ì¤Ä¤Î¥Ô¥ó¤òÁª¤Ö¤È¤¹¤ì¤Ð¡¢¤É¤ì¤òÁª¤Ù¤ÐÎɤ¤¤Ç¤·¤ç¤¦¤«¡£ ¤³¤ì¤é3¤Ä¤Î¥±¡¼¥¹¤Ç¡¢¤½¤ì¤¾¤ìĹ½ê¡¢Ã»½ê¤¬¤¢¤ë¤Î¤Ç¡¢¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤Ï¡¢¿ôǯ¸å¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¢¤é¤«¤¸¤á·è¤Þ¤Ã¤Æ¤¤¤ë¾ì¹ç(=¸°»öÁ°À¸À®)¡¢·è¤Þ¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç(=¸°»öÁ°À¸À®¤Ê¤·)¤Î¥±¡¼¥¹¤Ëʬ¤±¤Æ¹Í»¡¤·¤Þ¤¹¡£

¾ÚÌÀ½ñĹ½êû½ê°ÂÁ´À­±¿ÍÑÉéô
­¡¥ë¡¼¥ÈCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬Ä¹¤¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯10ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • ¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥É¥Ô¥ó¤Ç¤Ï¥ë¡¼¥È¾ÚÌÀ½ñ¤ò»ÈÍÑ
  • ¸°¹¹¿·¸å¤Î¸ø³«¸°¤Ï»öÁ°¤Ë¤Ï¤ï¤«¤é¤º¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Ï»È¤¨¤Ê¤¤
  • ¿·¤·¤¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò¹ØÆþ¤·¤¿¾ì¹ç¤Ë¡¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¤È¤Ï¸Â¤é¤º¡¢¤½¤ÎºÝ¤Ï¥Ô¥ó¤Î°Ü¹Ô¤¬É¬Í×
  • ¥ë¡¼¥È¾ÚÌÀ½ñÇÛ²¼¤Î¾ÚÌÀ½ñ¤Î¿ô¤ÏÈó¾ï¤Ë¿¤¯¡¢¤½¤Îǧ¾Ú¶É¤¬ÉÔÀµ¤Ê¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¡¢¹¶·â¤òËɤ²¤Ê¤¤¥ê¥¹¥¯¤Ï¹â¤¤¡£Î㤨¤Ð¡¢¥·¥Þ¥ó¥Æ¥Ã¥¯¼Ò¤¬Google¤Ëµö²Ä¤Ê¤¯Google¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ö·ï¤¬¤¢¤Ã¤¿¡£
  • ¾ÚÌÀ½ñ¹¹¿·¤Ç¥ë¡¼¥ÈCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤ÏÄ㤤¤¬¡¢Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
Äã¹â
­¢Ãæ´ÖCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬¤ä¤äŤ¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¼ã´³¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯5ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • °ÂÁ´À­¤È±¿ÍÑÉéô¤ÎÌ̤ǥХé¥ó¥¹¤¬¼è¤ì¤Æ¤¤¤ë¤«¡©
  • ¥Ô¥ó¤¹¤ëÃæ´ÖCA¤Î¸ø³«¸°¤ËÊѹ¹¤¬¤Ê¤«¤Ã¤¿¾ì¹ç¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÏÈæ³ÓŪ³Ú
  • ¥Ô¥ó¤·¤Æ¤¤¤ëÃæ´ÖCA¤Î¸ø³«¸°¤¬¡¢¼¡²ó¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¹¹¿·»þ¤ËƱ¤¸¤Ç¤¢¤ë¤È¤¤¤¦ÊݾڤϤʤ¤¡£
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ë¤¬¡¢¤½¤ì¤¬»öÁ° ¼þÃΤµ¤ì¤Ê¤¤¤¿¤á¤Ë¡¢SSLÀܳÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤¬¹â¤¤
  • Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Î°Ü¹Ô¤Ë·¸¤ë±¿ÍÑÉéô¤Ï¡¢²ó¿ô¤â¡¢ºî¶ÈÉé²Ù¤â Èó¾ï¤Ë¹â¤¤
  • Ʊ¤¸Ãæ´ÖCA¤«¤é¡¢ÉÔÀµ¤ËƱ¤¸¥É¥á¥¤¥ó¤ËÂФ¹¤ë¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¤â¸¡¾ÚÍ­¸ú¤È¤Ê¤Ã¤Æ¤·¤Þ¤¦¥ê¥¹¥¯¤¬¤¢¤ë¡£­¡¤è¤ê¤Ï¥ê¥¹¥¯¤ÏÄ㤤¤¬¡¢­£­¤¤è¤ê¤Ï¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÇÃæ´ÖCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤Ï¤¢¤ëÄøÅÙ¤¢¤ê¡¢­¡¤è¤ê¤Ï³ÎΨ¤¬¹â¤¤¡£Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
̾̾
­£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®)
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¥Ô¥ó¤·¤¿¸ø³«¸°¤Î¥Þ¥Ã¥Á¥ó¥°ÀßÄê¤Ë¼ºÇÔ¤¹¤ë²ÄǽÀ­¤¬Ä㤯¡¢HPKPÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤ÏºÇ¤âÄ㤤
  • HPKP¤ÎRFC¤Ç¤Ï¡¢(¤µ¤é¤Ã¤È´Êñ¤Ë¤Ç¤­¤ë¤È¼è¤ì¤ë¤è¤¦¤Êµ­½Ò¤¬¤µ¤ì¤Æ¤ª¤ê)¿ä¾©¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ë¼è¤ì¤ëÊýË¡
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¡¢Êѹ¹¤µ¤ì¤ë¥Ô¥ó¤¬¤¢¤é¤«¤¸¤á¤ï¤«¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢(max-ageÆâ¤ËºÆÅÙ¾ÚÌÀ½ñ¹¹¿·¤ò¤¹¤ë¤³¤È¤ò¤·¤Ê¤±¤ì¤Ð)max-age¤ò¤¢¤Þ¤êµ¤¤Ë¤»¤º¤Ë¾ÚÌÀ½ñ¤Î¹¹¿·¤¬¤Ç¤­¤ë
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¸°¥Ú¥¢¤Î»öÁ°À¸À®¤¬²Äǽ¤Ê¤Î¤Ï¡¢OpenSSLÅù¤Ë¤è¤ê¼êºî¶È¤Ç¸°¥Ú¥¢À¸À®¤·¤¿¾ì¹ç¤Î¤ß¤Ç¤¢¤ê¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô»þ¤Ë¡¢CSR¤ò¼«Á°¤ÇÀ¸À®¤¹¤ëɬÍפ¬¤Ê¤¯¡¢¥Ö¥é¥¦¥¶¤Î¥³¥ó¥Ý¡¼¥Í¥ó¥È¤Ç¼«Æ°Åª¤Ë¸°¥Ú¥¢À¸À®¤¹¤ë¤è¤¦¤Ê¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Î¾ì¹ç¤Ë¤Ï¡¢ËÜÊý¼°¤Ï»È¤¨¤Ê¤¤
  • Let's Encrypt¤Ï»È¤¨¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¼«Æ°¹¹¿·¤Ë·¸¤ë±¿ÍÑÉéô¤Î·Ú¸º¤Ï¸«¹þ¤á¤Ê¤¤
  • ¸°¥Ú¥¢¤Ï°ìÈ̤ˡ¢¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¹Ô¤ï¤ì¤ë¤â¤Î¤À¤¬¡¢¤½¤ì¤ò2ǯÄøÅÙÁ°¤Ë¼Â»Ü¤¹¤ë¤³¤È¤Ë¤Ê¤ë¡£»öÁ°À¸À®¤·¤Æ¤ª¤¯¤È¡¢¤½¤Îʬ¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤Ï¹â¤¯¡¢µ¡Ì©Êݴɤα¿ÍÑÉéô¤ÏÂ礭¤¤
  • ¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¡¢¤½¤ì¤Ê¤ê¤ËÀßÄêÊѹ¹¤Ëµ¤¤ò»È¤¦É¬Íפ¬¤¢¤ë¡£¤Þ¤¿¡¢¤½¤Î²ó¿ô¤â2ǯ¼åÄøÅÙ¤ª¤­¤Ç¤¢¤ê¡¢±¿ÍÑÉéô¤ÏÈæ³ÓŪ¹â¤¤
̾̾
­¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®¤Ê¤·)
  • Á´¤Æ¤ò¼«¸ÊÀ©¸æ¤Ç¤­¡¢ÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤Ï­£¤ÈƱÄøÅ٤˹⤤
  • ­£¤ËÈæ¤Ù¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤âÄ㤤
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤¨¤ë´ü´Ö¤¬¡¢É¬¤º (max-age + ¦Á)¡ß2 ʬ¤À¤±¸º¤ë¡£2ǯʪ¾ÚÌÀ½ñ¤Î¾ì¹ç¡¢max-age¤ò2¥ö·î¤È¤·¤¿¾ì¹ç¡¢¥Æ¥¹¥È¤ä;͵¤â´Þ¤á4¡Á5¥ö·îÄøÅÙ¤Ïû¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¡¢¾ÚÌÀ½ñ¤ÎÈñÍÑÉéô¤¬Áý¤¨¤ë
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age+¦Á¤Ç¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤µ¤»¤ì¤Ð¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤Ê¤¬¤é¥Ô¥ó¤ÎÊѹ¹¤ò¹Ô¤¦¤³¤È¤Ë¤Ê¤ë¡£±¿ÍѤÎÉéô¤Ï¤¢¤ë¤¬¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤«Ç§¾Ú¶É¼¡Âè¤Ç¤É¤¦¤Ê¤ë¤«¤ï¤«¤é¤Ê¤¤­¡­¢¤ËÈæ¤Ù¤Æ¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKPÀßÄêÊѹ¹¤Î¥¹¥±¥¸¥å¡¼¥ë¤¬ÁȤá¤ë¤Î¤Ç¡¢Äê·¿±¿ÍѤˤǤ­¤ë¤¿¤á±¿ÍѤο´ÍýŪÉéô¤Ï­¡­¢¤è¤ê¤Ï¼ã´³¾¯¤Ê¤¤
  • ¹âÃæ
    ¤Ç¤Ï¡¢­¡¡Á­¤¤Ç¤Ï¡¢²¿¤òÁªÂò¤¹¤ë¤«¤Ç¤¹¤¬¡¢¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥Ô¥ó¤¬»È¤¨¤Ê¤¤°ìÈÌ¥µ¥¤¥È¤Î¾ì¹ç¤Ï¡¢ ­¢¡Á­£¤Î¤¤¤º¤ì¤«¤¬ÂÅÅö¤À¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤ì¤â±¿ÍѤÎÉéô¤ä¡¢¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ê¡¢ ¸Ä¿Í¤¬¥Æ¥¹¥ÈÌÜŪ¤ÇÀßÄꤹ¤ë¾ì¹ç¤Ï²¿¤Ç¤âÎɤ¤¤È¤·¤Æ¡¢ ¼«Ê¬¤¬¾¦ÍÑ¥µ¥¤¥È¤Î±¿ÍѤòǤ¤µ¤ì¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢¤â¤Ã¤È¤â·üÇ°¤¹¤Ù¤­¤Ï Ĺ´ü´Ö¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ê¥¯¥ì¡¼¥à¤¬µ¯¤­¤ë¤³¤È¤Ê¤Î¤Ç¡¢ HPKP¤Ï»È¤ï¤Ê¤¤¤È¤¤¤¦È½ÃǤò¤¹¤ë¤È»×¤¤¤Þ¤¹¡£

    4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡

    4.2Àá¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¤Ç¡¢ ¤É¤Î¤è¤¦¤Ê°ã¤¤¤¬¤¢¤ë¤Î¤«¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤Þ¤·¤¿¡£

    ËÜÀá¤Ç¤Ï¡¢4.2Àá¤Î¹Í»¡¤ò¼õ¤±¤Æ¡¢ÀßÄêÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹ÍøÍÑÉÔǽ¤ò Ëɤ®¤Ê¤¬¤é¡¢HPKP¤ò»È¤Ã¤¿¥µ¥¤¥È¤Î¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥À¤ÎÊѹ¹¤ò¡¢¤É¤Î¤è¤¦¤Ë±¿ÍѤ¹¤ì¤Ð¤è¤¤¤Î¤«¤Ë¤Ä¤¤¤Æ ¹Í»¡¤·¤Þ¤¹¡£

    HPKP¤ò»È¤Ã¤¿¾ì¹ç¤Î¾ÚÌÀ½ñ¹¹¿·¤Î±¿ÍѤλÅÊý¤Ï4¤Ä¤Î¥±¡¼¥¹¤Ë¤ï¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

    • a)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë³Îǧ¤·¡¢¥Ô¥ó¤ò¹Ô¤Ã¤Æ¤¤¤ë¸°¤ËÊѹ¹¤¬¤Ê¤¤¾ì¹ç
    • b)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤Ã¤Æ¤¤¤ë¾ì¹ç
    • c)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤ë¾ì¹ç
    • d)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤Ê¤¤¾ì¹ç
    ¤³¤Î¤è¤¦¤ÊÀâÌÀ¤Ç¤Ï¡¢¶ñÂÎŪ¤Ê¥¤¥á¡¼¥¸¤¬¤ï¤«¤Ê¤¤¤È»×¤¤¤Þ¤¹¤Î¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¾ÚÌÀ½ñ¤Ëʬ¤±¤Æ¶ñÂÎÎã¤ò¼¨¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    • a-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Ë¤ÏÊѹ¹¤¬¤Ê¤¤¤³¤È¤¬¤ï¤«¤Ã¤¿¾ì¹ç¡£(¸ÜµÒ¥µ¥Ý¡¼¥È¤Ë±³¤ò¤Ä¤«¤ì¤¿¤é¡¢°ìÉô¥æ¡¼¥¶¤Ë2¥ö·î(=max-age)¥µ¡¼¥Ó¥¹¾ã³²¤Ë¤Ê¤ë¥ê¥¹¥¯¤¢¤ê¡£)
      hpkp-move1
    • b-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬¤É¤ì¤ËÊѹ¹¤µ¤ì¤ë¤«¶µ¤¨¤Æ¤â¤é¤¨¤¿¾ì¹ç¡£¤â¤·¤¯¤Ï¥µ¥Ý¡¼¥È¥Ú¡¼¥¸¤Ê¤É¤Ç¹ðÃΤµ¤ì¤Æ¤¤¤ë¾ì¹ç¡£¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤ÎÊѹ¹¡¢EV¤Ø¤ÎÊѹ¹¤Ê¤É¤âƱÍÍ¡£
      hpkp-move-b1
    • b-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢OpenSSLÅù¤Ç¼¡²ó¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¹¤Ç¤Ë»öÁ°À¸À®¤µ¤ì¡¢Êݴɤµ¤ì¤Æ¤¤¤ë¾ì¹ç
      hpkp-move-b2
    • c-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢¼¡²ó¾ÚÌÀ½ñ¹¹¿·¸å¤Î¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÊѹ¹¤Ë¤Ä¤¤¤Æ¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤«¤é¤Î²óÅú¤¬ÆÀ¤é¤ì¤º¡¢Êѹ¹¤µ¤ì¤ë¤«¤É¤¦¤«È½ÃǤ¬¤Ä¤«¤Ê¤¤¤¿¤á¡¢»ÅÊý¤Ê¤¯¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤·¤¿¤é¡¢¤ä¤Ï¤ê¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÏÊѹ¹¤Ë¤Ê¤Ã¤Æ¤¤¤¿¾ì¹ç(Êѹ¹¤¬¤Ê¤±¤ì¤Ða-1¤Î¥±¡¼¥¹¤È¤Ê¤ë¡£)
      hpkp-move-c1
    • c-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢OpenSSL¤ò»È¤ï¤º¡¢¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Ç¸°¥Ú¥¢À¸À®¤¹¤ë¥¿¥¤¥×¤Îǧ¾Ú¶É¤Ç¤¢¤ë¤¿¤á¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç
      hpkp-move-c2
    • c-3) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢HSMµ¡Ç½¤ò»È¤¦SSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤ª¤ê¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç¡£°Ü¹Ô¤Î¿Þ¤Ïc-2¤ÈƱ¤¸¤Ë¤Ê¤ê¤Þ¤¹
    • d-1) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢Let's Encrypt¤ä°ìÉô¤Îǧ¾Ú¶É¤Î¤è¤¦¤Ë¡¢¾ÚÌÀ½ñ¹¹¿·¸å¡¢Á°¤Î¾ÚÌÀ½ñ¤Ï¨»þ¤Ë¼º¸ú½èÍý¤¬¤µ¤ì¡¢max-age + ¦Á¤Î´ü´Ö¤ÎÍ­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬¤Ç¤­¤Ê¤¤¾ì¹ç
      hpkp-move-d1
    ¼«Ê¬¤Î±¿ÍѤ¬¤É¤Î¥±¡¼¥¹¤Ë¤¢¤Æ¤Ï¤Þ¤ë¤«¡¢¾åµ­¤ÎÀâÌÀ¤Ç¤ï¤«¤Ã¤¿¤Ç¤·¤ç¤¦¤«¡£¤µ¤Æ¡¢a¡Ád¤Î¥±¡¼¥¹¤Ç¡¢¤É¤Î¤è¤¦¤ËÂбþ¤¹¤ë¤«¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹¡£
    • a¤ÎÂбþ) ¾ÚÌÀ½ñ¹¹¿·¤ËºÝ¤·¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄê¤ÏÊѹ¹¤·¤Ê¤¯¤Æ¤è¤¤
    • b¤ÎÂбþ) max-age¤ò¤Ï¤¢¤Þ¤êµ¤¤Ë¤»¤º¡¢¾ÚÌÀ½ñ¹¹¿·¸å¤Î¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¾ÚÌÀ½ñÀßÄê¡¢HPKP¥Ø¥Ã¥À¤òÀßÄêÊѹ¹¤·¤Æ¤è¤¤
    • c¤ÎÂбþ) ¤â¤Ã¤È¤â¿À·Ð¤ò¸¯¤¦¡¢max-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄ꤬ɬÍס£¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎÁ°¸å¤Ç¡¢Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Í×
    • d¤ÎÂбþ) ¤³¤Î¥±¡¼¥¹¤Ç¤ÏHPKP¤Ï»È¤¨¤Ê¤¤¡£Â¾¤Î¾ÚÌÀ½ñ¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ø¤Î¥Ô¥óÀßÄê¤ÎÊѹ¹¤ò¸¡Æ¤¤¹¤ëɬÍפ¬¤¢¤ë¡£»È¤Ã¤Æ¤â¡¢°ìÉô¥æ¡¼¥¶¤Ë¥µ¡¼¥Ó¥¹ÀܳÉÔǽ¾ã³²¤¬max-ageÄøÅÙȯÀ¸¤¹¤ë¡£
    ¤É¤ó¤Ê¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄê¤Î°Ü¹Ô¤ò¹Ô¤¦¤Ë¤·¤Æ¤â¡¢¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¡¢max-age¡¢ÈëÌ©¸°¤ÎÊݴɤʤɡ¢ÍÍ¡¹¤Ê¤³¤È¤Ëµ¤¤ò¸¯¤¤¤Ê¤¬¤é¡¢°Ü¹Ô·×²è¤òΩ¤Æ¡¢°Ü¹Ô¤·¤Ê¤¤¤È¤Ê¤é¤º¡¢¤­¤Á¤ó¤È¹Í¤¨¤Ê¤¤¤ÈĹ´ü¤Î¥µ¡¼¥Ó¥¹¾ã³²È¯À¸¤¹¤ë¤È¤¤¤¦±¿ÍѾå¤ÎÉéô¤ä¥ê¥¹¥¯¤ÏÂ礭¤¤¤È»×¤¤¤Þ¤¹¡£

    4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¿Ì¾¤Î¤¤¤±¤Æ¤Ê¤µ

    Àè¤Ë½Ò¤Ù¤¿¤è¤¦¤Ë¡¢²¿¤«°ì¤Ä¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¥Ô¥ó¤òɬ¤º´Þ¤á¤Ê¤±¤ì¤Ð¤¤¤±¤Þ¤»¤ó¡£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤ò¤¹¤ë¾ì¹ç¤Ï¡¢¸½ºß»È¤Ã¤Æ¤¤¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤ËÂФ·¤Æ¡¢¾­Íè¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç»È¤¦Í½Äê¤ÎÈëÌ©¸°¤â»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤±¤ë¤Ê¤é¡¢¤½¤Î¸ø³«¸°¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤·¤ÆÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢¤Þ¤µ¤·¤¯¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»ÈÍѤǤ­¡¢(¸å½Ò¤ÎÌäÂꤢ¤ê¤¢¤ê¤Ç¤¹¤¬)¥¹¥à¡¼¥¹¤Ê¾ÚÌÀ½ñ¤È¥Ô¥ó¤Î°Ü¹Ô¤¬²Äǽ¤Ç¤¹¡£

    ¤·¤«¤·¤Ê¤¬¤é¡¢ÈëÌ©¸°¤ò°Ü¹ÔÀè¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»öÁ°À¸À®¤·¤Æ¤ª¤­¡¢¤³¤ì¤¬ÍøÍѤǤ­¤ë¤È¤¤¤¦¥±¡¼¥¹¤Ï¥ì¥¢¥±¡¼¥¹¤Ç¤¹¡£Î㤨¤Ð°Ê²¼¤Î°ìÈ̤˵¯¤³¤ê¤¦¤ë¥±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë¡¢¤½¤Î»öÁ°À¸À®¤·¤¿ÈëÌ©¸°¤ò»ÈÍѤ¹¤ë¤³¤È¤Ï¤Ç¤­¤Þ¤»¤ó¡£

    CA¾ÚÌÀ½ñ¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×Pin
    ǧ¾Ú¶É¤¬¹Ô¤¦¾ÚÌÀ½ñ¹¹¿·¤â¤·¤¯¤Ï¸°¹¹¿·¤Ë¤ª¤¤¤Æ¡¢»öÁ°¤Ë°Ü¹ÔÀè¤ÎÈëÌ©¸°¤¬Â¸ºß¤¹¤ë¤È¤¤¤¦¤³¤È¤â¤¢¤ê¤Þ¤»¤ó¤·¡¢°Ü¹ÔÀè¤Î¸ø³«¸°¤ÎPin¤ò¥æ¡¼¥¶¤Ë¸ø³«¤·¤Æ¤¯¤ì¤ëǧ¾Ú¶É¤â¤¢¤ê¤Þ¤»¤ó¡£
    HSM¤ò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×
    ǧ¾Ú¶É¤äSSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤¤¤ë¥±¡¼¥¹¤Ç¤Ï¡¢ÈëÌ©¸°¤ò¼è¤ê½Ð¤·ÉÔ²Äǽ¤Ê¥Ï¡¼¥É¥¦¥§¥¢¥»¥­¥å¥ê¥Æ¥£¥â¥¸¥å¡¼¥ë(HSM)¤Ç´ÉÍý¤¹¤ë¤Î¤¬°ìÈÌŪ¤Ç¤¹¡£HSM¤ò»ÈÍѤ·¤¿¸°¹¹¿·¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»öÁ°¤ËÈëÌ©¸°¤ò´ö¤Ä¤«À¸À®¤·¤Æ¤ª¤­¡¢¹¹¿·»þ¤Ë¤½¤ì¤ò»ØÄꤷ¤Æ¹¹¿·¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£¹¹¿·»þ¤Ë¤Ï¡¢¿·¤¿¤Ë¸°¥Ú¥¢¤òÀ¸À®¤·¤Æ¡¢¤³¤ì¤ò»ÈÍѤ·¤Þ¤¹¡£¤³¤Î¤¿¤á¤Ë¡¢Ç§¾Ú¶É¤Ç¤Ï¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤ò¸ø³«¤¹¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤Î¤Ç¤¹¡£
    ¥¦¥§¥Ö²èÌ̤Ǹ°¥Ú¥¢À¸À®¤·¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¾ì¹ç
    ǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤Ï¡¢¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤ò»ÈÍѤ·¤Æ¡¢¥Ü¥¿¥ó¤ò²¡¤»¤Ð¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤ò¹Ô¤¤¡¢¤³¤ì¤òÍѤ¤¤Æ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò³ÊǼ¤¹¤ë¤â¤Î¤¬¤¢¤ê¤Þ¤¹¡£¤½¤Î¤è¤¦¤Êǧ¾Ú¶É¤Ç¤Ï¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤¤¤¿¸°¤òȯ¹Ô»þ¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    Let's Encrypt¤ò»È¤¦¾ì¹ç
    ̵ÎÁ¤ÇÀ¤³¦°ì¤Îȯ¹Ô¿ô¤ò¸Ø¤ë¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ç¤¢¤ëLet's Encrypt¤Ç¤Ï¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô¥×¥í¥»¥¹¤¬¥¹¥¯¥ê¥×¥È¤Ë¤è¤ê¼«Æ°²½¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤³¤ì¤â¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤µ¤ì¤ë¤Î¤Ç¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤¤¤¿¸°¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    ËÜÅö¤Î°ÕÌ£¤Ç¤Î¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤¬»È¤¨¤ë¤Î¤Ï¡¢°Ê²¼¤Î¾ì¹ç¤Ë¤Î¤ß²Äǽ¤Ç¤¢¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£
    • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËÂФ·¤ÆPin¤ò¤¹¤ë¾ì¹ç¤Ç¡¢¤«¤Ä¡¢
    • OpenSSL¤Ê¤É¤Î¥³¥Þ¥ó¥É¤Ç¸°¥Ú¥¢À¸À®¤·¡¢¥Þ¥Ë¥å¥¢¥ë¤Ç¾ÚÌÀ½ñȯ¹ÔÍ×µá¤òÀ¸À®¤·¤Æ¡¢¾ÚÌÀ½ñȯ¹Ô¤·¤Æ¤â¤é¤¨¤ëǧ¾Ú¶É¤ò»ÈÍѤ¹¤ë¾ì¹ç
    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¤â¤Î¤ò¡¢¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤È¸Æ¤Ö¤Î¤Ï¡¢¾å½Ò¤Î¤Û¤È¤ó¤É¤Î¥±¡¼¥¹¤ÇŬÀڤǤʤ¤¤Î¤Ç¡¢Ì¾¾Î¤Ë¤ÏÌäÂ꤬¤¢¤ë¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

    4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ

    ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¾ì¹ç¡¢ °ìÃפ·¤Ê¤¤¥Ô¥ó¤Ï¡¢¾­Íè¤Î¹¹¿·À褬¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï²¿¤Ç¤â¤è¤¯¡¢ ¤µ¤é¤Ë¤Ï¡¢ËÜʪ¤Î¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפ⤢¤ê¤Þ¤»¤ó¡£ SHA256¤Ê¤Î¤Ç¡¢Ã±¤Ë32¥Ð¥¤¥È¤ÎÃͤǤ¢¤ì¤Ð²¿¤Ç¤âÎɤ¤¤ï¤±¤Ç¤¹¡£

    ¤¿¤À¡¢HPKP¥Ø¥Ã¥À¤Ç°ì¸«¤·¤Æ°ìÃפ·¤Ê¤¤¥Ô¥ó¤À¤È¤ï¤«¤Ã¤¿¤Û¤¦¤¬¡¢ ¸í¤Ã¤Æºï½ü¤¹¤ë¤Ê¤É¤Î±¿Íѥߥ¹¤òËɤ°°ÕÌ£¤Ç¤âÎɤ¤¤È¹Í¤¨¤Æ¤ª¤ê¡¢ ¤½¤³¤Ç¡¢¥ª¥¹¥¹¥á¤·¤¿¤¤¤Î¤¬¡¢°Ê²¼¤ÎÃͤǤ¹¡£

    pin-sha256="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; ¤³¤ì¤Ï¡¢16¿Ê¿ô¤Ç 0000000000000000000000000000000000000000000000000000000000000000 (32¥Ð¥¤¥È)
    ¤È¤Ê¤ê¤Þ¤¹¡£Î®¹Ô¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤¤¤Þ¤¹w

    4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤

    ¤³¤ì¤Þ¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È°ìÃפ¹¤ë¥Ô¥ó¤Î¿ô¤Ï1¤Ä¤òÁ°Äó¤ËµÄÏÀ¤·¤Æ¤­¤Þ¤·¤¿¤¬¡¢ ¤³¤ì¤òÊ£¿ô¡¢Î㤨¤Ð¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤È¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤È¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò°ìÃפµ¤»¤¿¾ì¹ç¤Ë¤Ï¡¢ ¤É¤¦¤Ê¤ë¤Î¤«¤ò¹Í»¡¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    ¤Þ¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤäơ¢¼¡¤ËÃæ´ÖCA¾ÚÌÀ½ñ¡¢¼¡¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤òÄɲ䷤Ƥ¤¤¯ ¤³¤È¤ò¹Í¤¨¤Æ¤Þ¤·¤ç¤¦¡£ Ʊ¤¸¸°¥Ú¥¢¤òÊ£¿ô¤Îǧ¾Ú¶É¤«¤é¤Î¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤Ç»ÈÍѤ·¤Ê¤¤¤È¤¤¤¦¡¢Åö¤¿¤êÁ°¤Î»ö¤òÁ°Äó¤È¤·¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤĻö¤¬ºÇ¤â¡¢ÈϰϤ¬¸ÂÄêŪ¤Ç¥Ë¥»HTTPS¤ËÂФ¹¤ë ºÇ¤â¶¯¤¤Âкö¤Ç¤¢¤ë¤È¡¢4.2Àá­£­¤¤Ç½Ò¤Ù¤Þ¤·¤¿¡£

    ¤½¤³¤ËÃæ´ÖCA¾ÚÌÀ½ñ¤Î°ìÃפ¹¤ë¥Ô¥ó¤ò­¤·¤Æ¤ß¤¿¤é¤É¤¦¤Ç¤·¤ç¤¦¤«¡£¥Ô¥ó¤ÇÆÃÄꤹ¤ë¾ÚÌÀ½ñ¤ÎÈϰϤÏÁ´¤¯ÊѤï¤ê¤Þ¤»¤Î¤Ç¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò­¤¹¤³¤È¤Ç¡¢¥Ë¥»HTTPS¥µ¥¤¥Èºî¤ê¤¬Æñ¤·¤¯¤Ê¤Ã¤¿¤ê¤Ï¤»¤º¡¢¥»¥­¥å¥ê¥Æ¥£¤Î¶¯ÅÙ¤â¾å¤¬¤ê¤Þ¤»¤ó¡£¤Þ¤¿¡¢±¿ÍÑÌ̤Ǥϡ¢¥Ô¥ó¤Î°ìÃפÎÇÛ褬¥Ô¥ó°ì¤Ä¤ÈÈæ¤Ù¤ÆÆñ¤·¤¯¡¢¤Þ¤¿¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤À¤±¤Ç´ÉÍý¤Ç¤­¤Ê¤¤ÈϰϤȤʤë¤Î¤Ç¾ÚÌÀ½ñ¤ä¥Ô¥ó¥Ø¥Ã¥ÀÊѹ¹¤Î±¿ÍѤϳÊÃʤËÊ£»¨¤ÇÌÌÅݤˤʤê¤Þ¤¹¡£¤³¤ì¤ËÂФ·¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò²Ã¤¨¤¿¾ì¹ç¤Ç¤âÁ´¤¯Æ±¤¸¤³¤È¤Ç¤¹¡£¥»¥­¥å¥ê¥Æ¥£¶¯Å٤Ͼ夬¤é¤º¡¢°Ü¹Ô¤Î±¿ÍѤÏÊ£»¨¤Ë¤Ê¤ë¤Î¤Ç¤¹¡£
    hpkp-multipin

    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¤Î¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤¬¤Ê¤¯¡¢¤«¤¨¤Ã¤Æ±¿ÍѤ¬Ê£»¨¤Ë¤Ê¤ë¤À¤±¤Ê¤Î¤Ç¡¢»ß¤á¤¿¤Û¤¦¤¬¤è¤¤¤È¤¤¤¦¤³¤È¤¬¸À¤¨¤Þ¤¹¡£

    4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê

    º£¸åÅöÌ̤ϡ¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¡¢Ãæ´Öǧ¾Ú¶É¤«¤éȯ¹Ô¤·¤Æ¤â¤é¤¦¾ì¹ç¤Ë¡¢¤½¤Îǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ËPin¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤½¤Î¾ì¹ç¤Ë¤Ï¡¢¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤Ï¡¢Ç§¾Ú¶É¤«¤é°Ü¹ÔÀè¤ÎPin¤ò¶µ¤¨¤Æ¤â¤é¤¨¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¤Î¤Ç¡¢¤Ê¤ó¤Ç¤âŬÅö¤ÊÃͤÇÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפâ¤Ê¤¯¡¢32¥Ð¥¤¥È¤ÎÃͤÎBase64ɽ¸½¤Ç¤¢¤ì¤Ð(¾×Æͤ·¤Ê¤±¤ì¤Ð)²¿¤Ç¤âÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£

    ¤¿¤À¤·¡¢¡ÖÅöÌ̤ϡפȽñ¤­¤Þ¤·¤¿¤¬¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ÈÍѤ·¤Æ¤¤¤¿Ãæ´Öǧ¾Ú¶É¤¬¡¢¼¡¤Î¾ÚÌÀ½ñȯ¹Ô»þ¤Ë¤âƱ¤¸Ãæ´Öǧ¾Ú¶É¡¢Æ±¤¸¸ø³«¸°¤Ç¤¢¤ë¤È¤¤¤¦Êݾڤ¬¤¢¤ê¤Þ¤»¤ó¡£°Ê²¼¤ÎÍýͳ¤Ë¤è¤ê¡¢Æ±¤¸Ãæ´ÖCA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Ê¤¤²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£

    • Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤Ï¡¢5ǯ¤«¤é10ǯÄøÅ٤Ǥ¹¡£¤½¤ÎÍ­¸ú´ü¸Â¤ÎȾʬÄøÅÙ¤«¤é¡¢ºÇŤǤâ2¡¢3ǯ¤ò»Ä¤·¤Æ¡¢¤½¤ÎÃæ´Öǧ¾Ú¶É¤«¤é¤Ï¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤Ê¤¯¤Ê¤ê¡¢ÍøÍѼԤÏÊ̤ÎCA¤«¤é¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¦¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    • ¾ÚÌÀ½ñ¤Îȯ¹Ô¿ôËç¿ô¤¬Â¿¤¯¤Ê¤ë¤È¡¢¤½¤ì¤À¤±¡¢¾ÚÌÀ½ñ¼º¸ú¥ê¥¹¥È(CRL)¤Î¥µ¥¤¥º¤âÂ礭¤¯¤Ê¤ê¤Þ¤¹¤Î¤Ç¡¢°ì¤Ä¤ÎÃæ´ÖCA¤«¤éȯ¹ÔËç¿ô¤òÀ©¸Â¤·¤Æ¡¢°Ê¹ß¤Î¾ÚÌÀ½ñȯ¹Ô¤Ï¡¢¿·¤·¤¤Ãæ´ÖCA¤«¤éȯ¹Ô¤µ¤»¤ë¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£
    • ¶áǯ¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¡¢¥µ¥¤¥Ð¡¼¹¶·â¤Ê¤É¤«¤é¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹Á´ÂΤ䡢ÆÃÄê¤ÎÃæ´ÖCA¤¬±¿ÍÑÄä»ß¡¢¥µ¡¼¥Ó¥¹½ªÎ»¤Ë¤Ê¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    ¤³¤Î¤è¤¦¤Ê¾ì¹ç¤Ë¤Ï¡¢Æ±¤¸Ãæ´ÖCA¤ÎPin¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£

    Í­¸ú¤ÊPin¤òÀßÄꤷ¤¿Æ±¤¸¥ë¡¼¥ÈCA¤â¤·¤¯¤ÏÃæ´ÖCA¤«¤é¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤¬È¯¹Ô¤·¤Æ¤â¤é¤¨¤Ê¤¤¤È¤ï¤«¤Ã¤¿ºÝ¤Ë¡¢Ê̤ξÚÌÀ½ñ¤Î°Ü¹Ô¤Ï¡¢¤¹¤°¤Ë¤Ï¤Ç¤­¤º¡¢max-age¤Ç»ØÄꤷ¤¿´ü´Ö¡¢°ìÈ̤ˤÏ1¥ö·î¤«¤é1ǯÄøÅ٤ϡ¢¾ÚÌÀ½ñ¤ÎÆþ¤ìÂؤ¨¤¬¤Ç¤­¤Þ¤»¤ó¡£ºÇ°­¤Î¾ì¹ç¡¢¤½¤Î´ü´Ö¡¢Í­¸ú¤ÊHTTPSÄÌ¿®¤¬¤Ç¤­¤Ê¤¤¤È¤¤¤¦»ö¤â¤¢¤ê¤¨¤Þ¤¹¡£

    ¤³¤Î¤è¤¦¤Ê±Æ¶Á¤ò¡¢·Ú¸º¤¹¤ëÊýË¡¤¬Ìµ¤¤¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£¾ÚÌÀ½ñ¤ò¹¹¿·¤¹¤ë¤ÈȽÃǤ·¡¢Æ±¤¸Ãæ´ÖCA¤«¤é¾ÚÌÀ½ñ¤¬È¯¹Ô¤Ç¤­¤Ê¤¤¤È¤ï¤«¤Ã¤¿»þÅÀA¤Ç¡¢¤½¤³¤«¤émax-age·Ð²á¤·¤¿»þÅÀB¤òµ­Ï¿¤·¤Æ¤ª¤­¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò¼èÆÀ¤·¤Þ¤¹¡£(¤¬»È¤¤¤Þ¤»¤ó¡£)¡£¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤·¤Æ¡¢¤½¤Î¿·¤·¤¤¾ÚÌÀ½ñ¤ÎÊ̤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ÎPin¤ò¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£»þÅÀB¤Ë¤Ê¤Ã¤Æ¡¢½é¤á¤Æ¿·¤·¤¤¾ÚÌÀ½ñ¤Ø¤ÎÆþ¤ìÂؤ¨¤ò¼Â»Ü¤·¤Þ¤¹¡£¤³¤Î»ö¤«¤é¡¢max-age¤ò1ǯÅù¡¢Ä¹¤¯¤È¤ì¤Ðµ¶¥µ¥¤¥È¤ÎËɻߤˤÏÌòΩ¤Á¤Þ¤¹¤¬¡¢º£½Ò¤Ù¤¿¤è¤¦¤Ê¾ÚÌÀ½ñ¹¹¿·¤Î¥ê¥¹¥¯¤â¤¢¤ê¡¢È¾·î¤«¤é1¥ö·îÄøÅÙ¤ËÀßÄꤹ¤ë¤Î¤¬ÂÅÅö¤Ê¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎºÝ¤Ë¡¢2¤Ä¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¡¢Î㤨¤ÐSymantec¤ÈGlobalSign¤ò¸ò¸ß¤Ë¾è¤ê´¹¤¨¤ë¤È¤·¤Æ¡¢¤³¤ì¤é2¤Ä¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤ò¥Ø¥Ã¥À¤ËÀßÄꤷ¡¢»ÈÍѤ·¤Æ¤Ê¤¤¤Ê¤¤Êý¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤¹¤ë¤Î¤Ï¡¢¤Ê¤«¤Ê¤«¸­¤¤ÊýË¡¤À¤È»×¤¤¤Þ¤¹¡£
    hpkp-two

    ¤·¤«¤·¤Ê¤¬¤é¡¢Á°½Ò¤ÎÍýͳ¤Ë¤è¤ê¡¢Symantec¤Î¼¡¤Ëȯ¹Ô¤·¤Æ¤â¤é¤ª¤¦¤ÈͽÄꤷ¤Æ¤¤¤¿GlobalSign¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤¬»È¤¨¤Ê¤¤¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£

    °Ê¾å¤Î¤è¤¦¤Ë¡¢CA¾ÚÌÀ½ñ¤ËPin¤òÂǤĥ±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Îµ¤¤Þ¤°¤ì¤Ë¥Ó¥¯¥Ó¥¯¤·¤Ê¤¬¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¤ò±¿ÍѤ¹¤ë¤Î¤Ï¤È¤Æ¤âÌÌÅݤÀ¤È»×¤¤¤Þ¤»¤ó¤«? ¤½¤ì¤Ê¤é¡¢¤Þ¤À¡¢¼«Ê¬¤Ç¥³¥ó¥È¥í¡¼¥ë¤Ç¤­¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËPin¤òÂǤÄÊý¤¬¡¢ÌÌÅݤǤâÎɤ¤¤è¤¦¤Êµ¤¤â¤·¤Æ¤­¤Þ¤¹¡£

    4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë

    RFC 7469 4.1Àá¤Î ¥»¥­¥å¥ê¥Æ¥£¹Í»¡¤Ë¤ª¤¤¤Æ¡¢max-age¤ÎºÇÂçÃͤˤĤ¤¤Æ°Ê²¼¤Î¤è¤¦¤Ëµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢ ¡Ö60Æü¤¬¥Ð¥é¥ó¥¹¤Î¼è¤ì¤¿Ãͤ«¤â¤Í¡×¤È¸À¤Ã¤Æ¤¤¤Þ¤¹¡£

    RFC 7469 4.1. Maximum max-age ¤è¤ê
    However, a value on the order of 60 days (5,184,000 seconds) may be considered a balance between the two competing security concerns.
    ¤¿¤À¡¢5¾Ï¤ÎScott Helme»á¤ÎHPKPÂбþ¥É¥á¥¤¥ó¥ê¥¹¥È¤Ë´ð¤Å¤¤¤¿»ä¤ÎÄ´ºº¤Ç¤Ï¡¢ ¤Þ¤È¤â¤Ê±¿ÍѤò¤·¤Æ¤¤¤ëÀßÄê¤ÎÃæ¤Ç¤Ï¡¢ 30Æü¤¬26%¡¢¼¡¤¤¤Ç60Æü¤¬19%¤È¿¤¤¤Ç¤¹¡£

    max-age¤ÎÃͤ¬Ä¹¤¹¤®¤ë¤È¡¢

    • ÀßÄê¥ß¥¹¤Ë¤è¤ë¾ã³²È¯À¸»þ¤ËĹ´ü´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¤¬½Ð¤Æ¤·¤Þ¤¦
    • Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Íפʾì¹ç¡¢¼Â¼ÁŪ¤Ê¾ÚÌÀ½ñÍ­¸ú´ü´Ö¤¬Ìܸº¤ê¤·¤Æ±¿ÍÑ¥³¥¹¥È¤Ë±Æ¶Á¤¹¤ë
    ¤È¤¤¤¦¥ê¥¹¥¯¤Ë¤Ä¤¤¤Æ¡¢4.2Àá¤ÇÀâÌÀ¤µ¤»¤Æ夭¤Þ¤·¤¿¤¬¡¢ µÕ¤Ë¡¢max-age¤¬Ã»¤¹¤®¤ë¤È¤É¤¦¤Ê¤ë¤Î¤Ç¤·¤ç¤¦¤«¡©

    ´Êñ¤Ë¤Ï¡¢¥Ë¥»¤ÎHTTPS¥µ¥¤¥È¤Ë¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤¯¤Ê¤ë¤È¤¤¤¦»ö¤«¤È»×¤¤¤Þ¤¹¡£ ËÜʪ¥µ¥¤¥È¤Îmax-age¤¬Ã»¤¯¤Æ¡¢Í­¸ú´ü¸Â¤¬Àڤ줿¥¿¥¤¥ß¥ó¥°¤Ç¡¢¥É¥á¥¤¥ó¾è¼è¤êÅù¤ÎÈï³²¤Ë¤¢¤Ã¤Æ µ¶¥µ¥¤¥È¤¬ºî¤é¤ì¡¢¤½¤³¤Ç1ǯÅùŤ¤max-age¤ÎHPKP¥Ø¥Ã¥ÀÂбþ¤Î¥Ë¥»¥µ¥¤¥È¤¬ºî¤é¤ì¤¿¤È¤¹¤ë¤È¡¢ °ìÅÙ¤½¤Î¤è¤¦¤Ë¤Ê¤ì¤Ð¡¢ÅöÌÌ1ǯ´Ö¤Ï¡¢¥Ë¥»¥µ¥¤¥È¤Ë¤·¤«·Ò¤²¤Ê¤¤¤è¤¦¤Ê¥æ¡¼¥¶¤¬È¯À¸¤¹¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    hpkp-maxage
    max-age¤¬Ã»¤¤¤È¡¢¤½¤ì¤À¤±¹¶·â¤Î¥Á¥ã¥ó¥¹¤ÏÁý¤¨¤ë¤¿¤á¡¢max-age¤Ï¤¢¤ëÄøÅÙŤ¯¤·¤Æ¤ª¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

    ÍÍ¡¹¤Ê¾ðÊ󥽡¼¥¹¤«¤é¡¢ ¥Ë¥»¥µ¥¤¥È¤òºî¤é¤ì¤Æ¤¤¤¿¤Èµ¤¤Å¤¯¤Þ¤Ç¤Ë¡¢¤½¤ì¤Û¤É»þ´Ö¤Ï¤«¤«¤é¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£ ¿ôÆü¤«¤é1½µ´Ö¤â¤¢¤ì¤ÐÌäÂê¤Ëµ¤¤Å¤¯¤È»×¤¤¤Þ¤¹¡£ Ⱦ·î¤ä1¥ö·î¤âµ¤¤Å¤«¤Ê¤¤¤Þ¤Þ¤¤¤ë»ö¤Ï¤Ê¤¤¤Ç¤·¤ç¤¦¡£ ¡Ö¥Ë¥»HTTPS¥µ¥¤¥ÈÌäÂê¤Ëµ¤¤Å¤¯¤Þ¤Ç¤ËÃÙ¤¯¤È¤â¤É¤ì¤¯¤é¤¤¤«¤«¤ë¤«¡×¤Ë¤è¤Ã¤Æ max-age¤ÎºÇ¾®Ãͤò·è¤á¤ë¤Î¤¬¤è¤¤¤È»×¤¤¤Þ¤¹¡£

    ½¾¤Ã¤Æ¡¢¹¶·â¤È²ÄÍÑÀ­¤Î¥ê¥¹¥¯¤Î¥È¥ì¡¼¥É¥ª¥Õ¤Ç¡¢»ä¤Ïmax-age¤ò15Æü¤«30ÆüÄøÅÙ¤Ë ÀßÄꤹ¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«

    2016ǯ3·î¤ÎNetcraft¼Ò¤ÎSSLÍøÍÑÄ´ºº¤Ë¤è¤ì¤Ð¡¢À¤³¦¤Ç¤ï¤º¤«0.09%¤Î4100¥µ¥¤¥È°Ê²¼¤°¤é¤¤¤·¤«¡¢HPKP¤òÀßÄꤷ¤Æ¤ª¤é¤º¡¢ÀßÄê¤Î¸í¤ê¤â¿¤¤¤½¤¦¤Ç¡¢Àµ¤·¤¯ÀßÄê¤Ç¤­¤Æ¤¤¤ë¤Î¤Ï¡¢¤½¤Î¤¦¤Á3000¥µ¥¤¥ÈÄøÅ٤ʤΤÀ¤½¤¦¤Ç¤¹¡£

    ¤Þ¤¿¡¢CSP(Content Security Policy)¤äHPKP¤Ë¾Ü¤·¤¯¡¢HPKP¤Î¸¡¾Ú¤ä¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È¤ò±¿±Ä¤·¤Æ¤¤¤ëScott Helme»á¤Î¥Ö¥í¥°¤Ë¤è¤ì¤Ð¡¢Alexa¾å°Ì100Ëü¤Î¥µ¥¤¥È¤Î¤¦¤ÁHPKP¤òÀßÄꤷ¤Æ¤¤¤ë¤Î¤Ï¡¢¤ï¤º¤«375¥µ¥¤¥È¤Ç¤¢¤Ã¤¿¤È¤¤¤¦Êó¹ð¤â¤¢¤ê¤Þ¤¹¡£

    Scott Helme»á¤Ï¡¢Ä´ºº¤ÎºÝ¤Î¥Ç¡¼¥¿¤â¸ø³«¤·¤Æ¤ª¤ê¡¢2016ǯ8·î»þÅÀ¤Ç¤ÎHPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó̾¥ê¥¹¥È448·ï¤¬¤¢¤Ã¤¿¤Î¤Ç¡¢¤½¤ì¤ò¥Ù¡¼¥¹¤Ë2017ǯ2·î¸½ºß¤Ç¤âHPKP¥Ø¥Ã¥À¤òÊÖ¤¹¥µ¥¤¥È283·ï¤ËÂФ·¤Æ¾¯¤·Ä´ºº¤·¤Æ¤ß¤Þ¤·¤¿¡£

    hpkp-graph1
    ¤Þ¤º¡¢HPKP¥Ø¥Ã¥À¤È¤·¤ÆÀµ¤·¤¤¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¡¢¤Þ¤¿¡¢»ÅÍ;åPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä°Ê¾åɬÍפǤ¹¤¬¡¢2¤Ä°Ê¾å¤¢¤ë¤«¤È¤¤¤¦´ÑÅÀ¤Ç¡¢¥Ø¥Ã¥À¤¬¤É¤ÎÄøÅÙÀµ¤·¤¤¤«¤òÄ´¤Ù¤Þ¤·¤¿¡£16%¤ÏÀßÄ꤬Àµ¤·¤¯¤Ê¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£´Ö°ã¤Ã¤Æ¤¤¤ë¤â¤Î¤ÎÃæ¤Ë¤Ï¡¢pin-sha256°À­¤¬Ìµ¤¤¡¢pin-sha256¤ÎÃͤ¬ÉÔŬÀÚ¡¢pin-sha256°À­¤¬°ì¤Ä¤·¤«¤Ê¤¤¡¢¤Ê¤ÉÍÍ¡¹¤Ç¤¹¡£Î㤨¤Ð¤³¤ó¤Ê¤â¤Î¤¬¤¢¤ê¤Þ¤·¤¿¡£
    • ...
    • pin-sha256="base64+info1="; max-age=3
    hpkp-graph2
    ¼¡¤Ë¡¢HPKP¥Ø¥Ã¥À¤ÎPIN¤Î¥Ï¥Ã¥·¥åÃͤθĿô¤Ç¤¹¡£°ìÈ̤ˤÏPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä¤Ç½½Ê¬¤Ç¡¢2¤Ä¤È¤Ê¤Ã¤Æ¤¤¤ë¥µ¥¤¥È¤¬Â¿¤¯Àê¤á¤Þ¤¹¤¬¡¢1¸Ä¤·¤«¤Ê¤¤¸í¤Ã¤¿¥µ¥¤¥È¤ä¡¢3¤Ä°Ê¾å¤òÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£15¸ÄÀßÄꤷ¤Æ¤¤¤ë¤È¤¤¤¦ÌԼԤ⤢¤ê¤Þ¤·¤¿¡£
    hpkp-graph3
    HPKP¤ÇÍ­¸ú¤Ê¸ø³«¸°¥Ï¥Ã¥·¥å¤ÎÊݸ´ü´Ö¤òÄê¤á¤Æ¤¤¤ë¤Î¤¬¡¢max-age¤ÎÃͤǤ¹¡£RFC¤Ç¤Ï¡¢60Æü¤ò¿ä¾©¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¼ÂºÝ¤Ë¤Ï30Æü¤òÀßÄꤹ¤ë¥µ¥¤¥È¤¬Â¿¤¤¤È¤ï¤«¤ê¤Þ¤¹¡£¤Þ¤¿¡¢¥Æ¥¹¥ÈÃæ¤Ê¤Î¤«1Æü°Ê²¼¤Ë¤·¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£Ã»¤¤¤È¥µ¥¤¥È¤ò¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤Þ¤ê¤Þ¤¹¤·¡¢Ä¹¤¹¤®¤ë¤ÈÀßÄê¤Ë¼ºÇÔ¤·¤¿¾ì¹ç¤½¤Î´ü´ÖÀܳÉÔǽ¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£1ǯ¤Ê¤É¤ÈÀßÄꤹ¤ë¤È¡¢ÀßÄ꼺ÇÔ¤·¤Æ¤¤¤¿¤é1ǯ´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¡¼¤¬½Ð¤Æ¥¯¥ì¡¼¥à³Î¼Â¤Ê¤Î¤Ë¶²¤í¤·¤¤¤Ç¤¹¤Í¡£
    hpkp-graph4
    report-uri¤òÀßÄꤹ¤ë¤È¡¢Âбþ¥Ö¥é¥¦¥¶¤Ê¤é¤Ð¡¢HPKP¤Î¥¨¥é¡¼¤ÎºÝ¤Ë»ØÄꤷ¤¿URL¤Ë¥ì¥Ý¡¼¥È¤òÁ÷¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£Jxck¤µ¤ó¤Î¥µ¥¤¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¤¬¡¢¤Þ¤À¤Þ¤ÀÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤Ï¾¯¤Ê¤½¤¦¤Ç¤¹¡£
    hpkp-graph5
    HPKP¥Ø¥Ã¥À¤ÎÃͤˤϡ¢includeSubDomain¤È¤¤¤¦¥×¥í¥Ñ¥Æ¥£¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤³¤ì¤ò¤Ä¤±¤ë¤Èexample.com¤ËHPKP¤òÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢sub1.example.com¥É¥á¥¤¥ó¤ËÂФ·¤Æ¤âŬÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    hpkp-graph6
    HPKP¥Ø¥Ã¥À¤È¤·¤Æ¡¢Ä̾ï¤Ï"Public-Key-Pins"¤ò»È¤¤¤Þ¤¹¤¬¡¢"Public-Key-Pins-Report-Only"¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÏHPKP¤ò¸¡¾Ú¤»¤º¤Ë¡¢¥¨¥é¡¼¤È¤Ê¤Ã¤Æ¤âHTTPSÀܳ¤Ï³¤±¤é¤ì¤ë¥Æ¥¹¥ÈÍѤε¡Ç½¤¬¤¢¤ê¤Þ¤¹¡£Ìó10%¤Î¥µ¥¤¥È¤¬¤³¤Î¥Æ¥¹¥ÈÍѤÎÀßÄê¤ò»È¤Ã¤Æ¤¤¤ë¤È¤ï¤«¤ê¤Þ¤¹¡£
    hpkp-graph7
    Scott Helme»á¤Î2017ǯ»þÅÀ¤ÇÀܳ²Äǽ¤ÊHPKPÂбþ¥µ¥¤¥È283·ï¤Î¤¦¤ÁgTLD(com¡¢orgÅù)¡¢ccTLD(de¡¢ru¡¢jpÅù)Ê̤˷ï¿ô¤òÄ´¤Ù¤Æ¤ß¤ë¤È¡¢com¤¬Â¿¤¤¤Î¤ÏÅöÁ³¤Ç¤È¤·¤Æ¡¢¼ÂºÝ¤Î³ÆTLD¤ÎÅÐÏ¿·ï¿ô¤ËÈæ³Ó¤·¤Æ¸²Ãø¤Ë¿¤¤TLD¤¬¸«¤é¤ì¤Þ¤·¤¿¡£com¤Ï1.3²¯¡¢net¤Ède¤Ï1600Ëü¡¢ru¤Ï540Ëü¥É¥á¥¤¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥É¥á¥¤¥óÅÐÏ¿¿ô¤ËÈæ¤Ù¤Æ¡¢ÈæΨŪ¤Ëru¡¢org¡¢de¤ÏÆͽФ·¤Æ¿¤¯¤Þ¤¿¡¢¥°¥é¥Õ¾å¤Ï¤½¤Î¾¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¥Þ¥¤¥Ê¡¼¤ÊccTLD¤Î¹ñ¤Ë¤Ä¤¤¤Æ¤â¡¢Èæ³ÓŪHPKPÀßÄ꤬¿¤¤¹ñ¤¬¤¢¤ê¤Þ¤¹¡£¤Þ¤¿¡¢edu¤¬°Û¾ï¤Ë¾¯¤Ê¤¤¤Î¤âµ¤¤Ë¤Ê¤ê¤Þ¤·¤¿¡£¤½¤Î¾¤Ë¤Ï¡¢ar/br/cl/il/pt/nl/tn/sk¤Ê¤É¡¢¥Þ¥¤¥Ê¡¼¤Ê¤â¤Î¤¬ 50¶á¤¯¤¢¤ê¤Þ¤·¤¿¡£

    6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«

    hpkp¤ÎȯÁÛ¼«ÂΤϡ¢ÉÔÀµÈ¯¹Ô¤µ¤ì¤¿¾ÚÌÀ½ñ¤ò»È¤Ã¤¿µ¶¥µ¥¤¥È¤òËɤ°¤¿¤á¤Î»ÅÁȤߤȤ·¤ÆÍ­ÍѤǤ¢¤ê¡¢Chrome¤äFirefox¤Î¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥È¥Ô¥ó¤Ï ¤¦¤Þ¤¯µ¡Ç½¤·¤Æ¤¤¤ë¤è¤¦¤Ë»×¤¨¤Þ¤¹¡£ ¤½¤Î°ìÊý¤ÇHPKP¥Ø¥Ã¥À¤ò»È¤Ã¤¿Êý¼°¤Ï¡¢ ¤«¤Ê¤ê±¿ÍѤ¬Ê£»¨¤ÇÆñ¤·¤¯¡¢¼ºÇÔ¤¹¤ë¤È 2¥ö·î¤È¤¤¤Ã¤¿¡¢Ä¹´ü´Ö¡¢°ìÉô¤Î¥æ¡¼¥¶¤ÏÀܳ¤Ç¤­¤Ê¤¤¤È¤¤¤¦¡¢¾ã³²¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤â¹â¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£

    ¸Ä¿Í¤äÃæ¾®¤Î¥µ¥¤¥È¤ÇÉÔÀµ¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤Þ¤Çµ¶¥µ¥¤¥È¤òºî¤ë¥á¥ê¥Ã¥È¤Ï¸«Åö¤¿¤é¤º¡¢¹¶·â¤ò¼õ¤±¤ë²ÄǽÀ­¤â¶Ë¤á¤ÆÄ㤤¤¿¤á¡¢HPKP¤ò»È¤Ã¤Æ¥µ¡¼¥Ó¥¹¾ã³²¤Î¥ê¥¹¥¯¤ò¼è¤Ã¤Æ¤Þ¤ÇHPKP¤òƳÆþ¤¹¤ëɬÍפϤʤ¤¤È»×¤¤¤Þ¤¹¡£

    ¤Ç¤Ï¡¢°ìÈÌ¥µ¥¤¥È¸þ¤±¤ËHPKP¤ÎÉáµÚ¤¬¿Ê¤à¤¿¤á¤Ë¤Ï¡¢±¿ÍѤΤ·¤ä¤¹¤¤¥µ¡¼¥Ó¥¹¾ã³²¤¬µ¯¤­¤Ë¤¯¤¤»ÅÍͤÎÊѹ¹¤¬É¬ÍפÀ¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤¦¤¹¤ì¤Ð¤³¤ì¤¬²Äǽ¤Ë¤Ê¤ë¤Ç¤·¤ç¤¦¤«¡©

    max-age¤ò2¥ö·î¤È²¾Äꤷ¤Æ¡¢ HPKP¥Ø¥Ã¥À¤Ç±¿ÍѾå¤Î²ÝÂê¤Ê¤Î¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤Î2¥ö·îÁ°¤Ë¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤Ê¤éÀßÄê¤ò»öÁ°ÀßÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤Æ¥Ø¥Ã¥ÀÀßÄê¤òľ¤·¤Æ¤â¡¢2¥ö·î¤ÏÄÌ¿®¾ã³²¤¬È¯À¸¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£

    ¤½¤³¤Ç¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤¿»þ¤Ë¤Ï¡¢¤¹¤°¤ËÀßÄêÊѹ¹¤¬È¿±Ç¤Ç¤­¤¿¤ê¡¢¥µ¡¼¥Ð¡¼Â¦¤Ç»ÃÄêŪ¤Ë¥Ö¥é¥¦¥¶¤ÎHPKP¸¡¾Ú¤ò̵¸ú²½¤Ç¤­¤ë¥­¥ë¥¹¥¤¥Ã¥Á¤¬¤¢¤ë¤È¤è¤¤¤È»×¤¦¤Î¤Ç¤¹¡£¿¼¤¯¹Í»¡¤·¤¿Ìõ¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¤¬¡¢Î㤨¤Ð¡¢HPKP¹¹¿·Æü¤ò¥Ø¥Ã¥À¤Ëµ­ºÜ¤¹¤ë¤Ê¤É¤·¤Æ¡¢ÀßÄê¤Ë¹¹¿·¤¬¤¢¤ì¤Ðmax-age¤Ë´Ø¤ï¤é¤º¹¹¿·¤·¡¢Ìµ¸ú²½¤¹¤ë¤Ê¤é¡¢Ìµ¸ú²½¤¹¤ë¤È¤¤¤Ã¤¿µ¡Ç½¤òÄ󶡤¹¤ì¤Ð¡¢±¿ÍѤÏmax-age¤äÀßÄê¥ß¥¹¤Î¼öÇû¤«¤é²òÊü¤µ¤ì¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ¾¤Ë¤â¤³¤ÎÌäÂê¤Î²ò·èÊýË¡¤Ï¤¢¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢²¿¤é¤«¤Î¼êÅö¤Æ¤ò¤·¤Ê¤¤¸Â¤ê¡¢HPKP¤ÏÉáµÚ¤·¤½¤¦¤Ë¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    7. ¤ª¤ï¤ê¤Ë

    °Ê¾å¡¢HPKP¤Ë¤Ä¤¤¤Æ¡¢¤É¤³¤Ë¥Ô¥ó¤òÂǤĤ«¡¢max-age¤Ï¤É¤¦¤¹¤ë¤«¤Ê¤É±¿ÍÑÌ̤«¤é¡¢ ¤¤¤í¤¤¤í¹Í»¡¤äÀ°Íý¤ò¤·¤Æ¤ß¤Þ¤·¤¿¡£ ¸½»þÅÀ¤Ç¤Ï¡¢HPKP¤òƳÆþ¤¹¤ë¤Î¤Ï»þ´ü¾°Áá¤Ç¡¢ ±¿ÍѤËÉéô¤ò¤«¤±¡¢¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤â¹â¤¤¤È¤¤¤¦¤³¤È¤â ¤´Íý²ò¤¤¤¿¤À¤±¤¿¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ¤³¤ì¤Ç¡¢¼«Ê¬¤¬HPKP¤Ë¤Ä¤¤¤ÆÁ°¤«¤é½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤³¤È¤ò¡¢ Íî¤ÁÃ夤¤ÆÀ°Íý¤Ç¤­¡¢3ǯ±Û¤·¤°¤é¤¤¤ËÅǤ­½Ð¤»¤Þ¤·¤¿¡£ ¤ï¤«¤ê¤Ë¤¯¤«¤Ã¤¿¤ê¡¢Íý²ò¤¬´Ö°ã¤Ã¤Æ¤¤¤¿¤é¤¹¤ß¤Þ¤»¤ó¡£ ¸Ä¿ÍŪ¤Ë¤Ï¡¢HPKP¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤³¤ì¤Ç¤ï¤À¤«¤Þ¤ê¤È¤«¥â¥ä¥â¥ä´¶¤È¤¤¤¦¤Ï³µ¤Í ʧ¿¡¤µ¤ì¤¿¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ ¤Þ¤¡¡¢¡Ö¥Ö¥í¥°¤Ê¤ó¤Æ¤½¤ó¤Ê¥â¥Î¤è¤Í¡×¤Ã¤Æ¤³¤È¤Ç¡¢¡¢¡¢£÷

    8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯

    Netcraft: Secure websites shun HTTP Public Key Pinning
    HPKP¤¬Î®¹Ô¤Ã¤Æ¤¤¤Ê¤¤¤³¤È¤ÎÅý·×¡£¤Ê¤¼Î®¹Ô¤é¤Ê¤¤¤«¤Î²òÀâ¡£Îɵ­»ö¡£
    Netcraft: HTTP Public Key Pinning: You're doing it wrong!
    Netcraft¼Ò¤Î¡¢À¤¤ÎÃæ¤ÎHPKPÂбþ¥µ¥¤¥È¤ÎÀßÄê¸í¤ê¤Ë´Ø¤¹¤ë²òÀâ¡£Îɵ­»ö¡£
    Scott Helme¤µ¤ó¤ÎHPKP¥Ö¥í¥°µ­»ö
    CSP¤äHSTS¤äHPKP¤Ê¤ÉSSL´ØÏ¢µ»½Ñ¤ÎÀìÌç²È¤Ç¡¢HPKP¤Ê¤É¤Î¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È report-uri.io ¤ò ±¿±Ä¤·¤Æ¤¤¤ëScott Helme¤µ¤ó¤Î¥Ö¥í¥°¡£HPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó¥ê¥¹¥È¤Ê¤É¤Î¥Ç¡¼¥¿¤â¤¢¤ê¤Þ¤¹¡£
    Qualys Blog: Is HTTP Public Key Pinning Dead?
    Ivan Ristic»á¤Î¡¢¡ÖHPKP¤¬½ª¤ï¤Ã¤Æ¤¤¤ë¤«¡©¡×¤Ë´Ø¤¹¤ëµÄÏÀ¡£
    Raymii.org: HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd
    ²òÀâ¤Ï½¼¼Â¡£³Æ¥µ¡¼¥Ð¡¼Ëè¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄêÎã¡£
    MDN: Public Key Pinning
    Mozilla¤Ë¤è¤ëHPKP²òÀâ¡£Chrome¤äFirefox¤Ç¤ÎHPKPÂбþ¥Ð¡¼¥¸¥ç¥ó¤Îµ­½Ò¡£¥µ¡¼¥Ð¡¼ÀßÄêÎã ¥ì¥Ý¡¼¥Èµ¡Ç½¤Ï¿·¤·¤¤Chrome¤·¤«»È¤¨¤Ê¤¤»ö¤Î¸ÀµÚ¤Ê¤É¡¢»²¹Í¤Ë¤Ê¤ë¡£
    Public Key Pinning¤Ë¤Ä¤¤¤Æ - Chris Palmer (¸¶Ê¸)
    Chris Palmer¤Ë¤è¤ëHPKP²òÀâ¡£¸í²ò¤â¤¢¤ë¤¬¡¢½é¤á¤Æ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¡¢¤½¤Î¥±¡¼¥¹Ê¬¤±¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤¿µ­»ö¡£
    ¤Ü¤Á¤Ü¤ÁÆüµ­¡§ÉÔÀµ¤ÊSSL¾ÚÌÀ½ñ¤ò¸«ÇˤëPublic Key Pinning¤ò»î¤¹
    jovi¤µ¤ó¤Ë¤è¤ëHPKP(¥É¥é¥Õ¥È)¤Ë´Ø¤¹¤ë¾ÜºÙ¤«¤Ä¹­ÈϤʲòÀâ¤Ç¤¹¡£
    Jxck¤µ¤ó¤Î¥Ö¥í¥°¡§Public Key Pinning for HTTP(HPKP) Âбþ¤È report-uri.io ¤Ç¤Î¥ì¥Ý¡¼¥È¼ý½¸
    Jxck¤µ¤ó¤Î²òÀâ¡£ÆäËreport-uri¤Îµ¡Ç½¤ò»î¤·¤Æ¤ß¤¿Êó¹ð¤¬µ®½Å¡£
    ¸ø³«¸°¥Ô¥ó¥Ë¥ó¥°¤Ë¤è¤ë¥æ¡¼¥¶ÄÉÀ× HPKP Supercookies
    º£²ó¤Îµ­»ö¤È¤Ï¤¢¤Þ¤ê´Ø·¸¤Ê¤¤¤Ç¤¹¤¬¡¢ ¤Ë¤·¤à¤Í¤¢¤µ¤ó¤ÎHPKP¤ò»È¤Ã¤¿¥¯¥Ã¥­¡¼¤ò»È¤ï¤Ê¤¤¥æ¡¼¥¶¡¼ÆÃÄê¤ÎÌÌÇò¤¤»î¤ß¤Ë´Ø¤¹¤ë¥¹¥é¥¤¥É»ñÎÁ¡£
    OWASP: Certificate and Public Key Pinning
    OWASP¤Î²òÀâµ­»ö¡£ÌµÂ̤ʾðÊó¤â¿¤¤¡£

    9. Äɵ­

    9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·

    caniuse.com¥µ¥¤¥È¤Ç¤ÏÍÍ¡¹¤Ê¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Î¥µ¥Ý¡¼¥È¾õ¶·¤ò¾ðÊóÄ󶡤·¤Æ¤¤¤Þ¤¹¤¬¡¢ 2017ǯ2·î»þÅÀ¤Ç¤Î HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·¤Ë¤Ä¤¤¤Æ¤â µ­ºÜ¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¼¨¤·¤Æ¤ª¤­¤Þ¤¹¡£Firefox¡¢Chrome¡¢Opera¡¢AndroidÈÇChrome¤Ç¤Ï ¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ì°Ê³°¤Ç¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
    hpkp-caniuse

    9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

    ¤½¤Î¸å¡¢HPKP¤Ë¤Ä¤¤¤Æ·Ñ³¤·¤ÆÄ´¤Ùʪ¤ò¤·¤Æ¤¤¤¿¤é¡¢ smashingmagazine.com¤Î¥Ö¥í¥°¤Ç¡¢ HPKP¤Ë¤è¤êȯÀ¸¤·¤¿Àܳ¾ã³²¤Ë¤Ä¤¤¤Æ¤Î¹Í»¡¤¬½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£ ¤³¤³¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£

    • HPKP¤ÏÃæ´Ö¼Ô¹¶·â¤ËÂФ·¤ÆÍ­¸ú¤Êµ¡Ç½¤À¤¬
    • HPKP¤ÎÀßÄê¥ß¥¹¤Ç2016ǯ10·î21Æü¤«¤é25Æü¤Ë¤«¤±HTTPSÀܳ¾ã³²¤¬È¯À¸
    • ¾ÚÌÀ½ñ´ü¸ÂÀÚ¤ì¤ÇHPKP¥Ø¥Ã¥À¤ò¹¹¿·¤·¤¿¤é¥¨¥é¡¼¤Ë¤Ê¤Ã¤¿
    • ¤¹¤Ç¤Ë¾ÚÌÀ½ñ¤Ï´ü¸ÂÀÚ¤ì¤Ç¥í¡¼¥ë¥Ð¥Ã¥¯¤Ï¤Ç¤­¤Ê¤¤
    ¶µ·±¤È¤·¤Æ¡¢¥Ö¥í¥°¤Ç¤Ï¡¢
    • ¶âÍ»¥µ¥¤¥È¤Ê¤É¤Ê¤é¤Ð¡¢HPKP¤ò»È¤¦²ÁÃͤϤ¢¤ë¤¬¡¢Ã±¤Ê¤ë¾ðÊóÄ󶡥µ¥¤¥È ¤Ê¤é¡¢¤½¤ÎɬÍפâ¤Ê¤¤¡£HPKPÀßÄê¥ß¥¹¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Ï¡¢Ãæ´Ö¼Ô¹¶·â¤è¤ê¤âÂ礭¤Ê¶¼°Ò¤À
    • max-age¤òû¤¯¤¹¤ë¤³¤È¤Ë¤è¤êÌäÂê¤ò´ËϤǤ­¤ë
    »ä¤â¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤ÎÊý¤¬¡¢Â礭¤ÊÌäÂê¤À¤È¤¤¤¦¤Î¤ÏƱ°Õ¤Ç¤¹¤¬¡¢ Á°¤Ë¤â½Ò¤Ù¤¿Ä̤ꡢmax-age¤òû¤¹¤®¤ëÃͤËÀßÄꤹ¤ë¤Î¤Ï·üÌ¿¤Ç¤Ï¤Ê¤¯¡¢Ãí°Õ¤¬É¬ÍפǤ¹¡£ ¤³¤Î¥µ¥¤¥È¤Ç¤Ï¡¢max-age¤ò1ǯ¤È¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢³Î¤«¤Ë¤³¤ì¤ÏŤ¹¤®¤Þ¤¹¡£ ¿·¤·¤¯ÀßÄꤵ¤ì¤¿HPKP¥Ø¥Ã¥À¤ò¸«¤Æ¤ß¤Þ¤·¤¿¤¬¡¢¸½¹Ô¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¾¤Ë 3¤Ä¥Ô¥ó¤¬ÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢max-age¤Ï1Æü¤ËÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢¤¤¤í¤¤¤í¤ÈÀßÄê¤Ë¤ÏÌäÂ꤬¤¢¤ê¤½¤¦¤Ç¤¹¡£