¼«ÂÄÍî¤Êµ»½Ñ¼Ô¤ÎÆüµ­

´ðËܤ϶ô¤Ã¤Æ¤ë¤«°û¤ó¤Ç¤ë¤«¤Ç¤¹¤¬¡¢¤è¤¯¼ñÌ£¤Ç¥«¥é¥ª¥±¡¦PKI¡¦½ð̾¡¦Ç§¾Ú¡¦¥×¥í¥°¥é¥ß¥ó¥°¡¦¾ðÊ󥻥­¥å¥ê¥Æ¥£¤ò¤ä¤Ã¤Æ¤¤¤Þ¤¹¡£Î¹¹¥¤­¡£¥Æ¥ì¥Ó¹¥¤­¤Ç·ÝǽÄÌ

SSLTLS

HPKP(HTTP Public Key Pinning)¸ø³«¸°¥Ô¥Ë¥ó¥°¤Ë¤Ä¤¤¤Æ¹Í¤¨¤ë

¤â¤¯¤¸
1. ¤Ï¤¸¤á¤Ë
2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê
3. HPKP¤Î»ÅÁȤß
4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡
¡¡4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡
¡¡4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò
¡¡4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡
¡¡4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¾Á°¤Î¥¤¥±¤Æ¤Ê¤µ
¡¡4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ
¡¡4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤
¡¡4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë
5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«
6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«
7. ¤ª¤ï¤ê¤Ë
8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯
9. Äɵ­
¡¡9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·
¡¡9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

1. ¤Ï¤¸¤á¤Ë

HPKP¤È¤ÏHTTP Public Key Pinning¤Îά¤Ç¡¢RFC 7469 Public Key Pinning Extension for HTTP¤Çµ¬Äꤵ¤ì¤Æ¤ª¤ê¡¢ ¥¦¥§¥Ö¥µ¥¤¥È¤Î¥ª¡¼¥Ê¡¼¤¬¡¢¥Ë¥»¤Î¥µ¥¤¥È¤Ç°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤Ê¤¤¤è¤¦¤ËÊݸ¤ë¤¿¤á¤Î»ÅÁȤߤǤ¹¡£

ÆüËܸì²òÀâ¤Ï¾¯¤Ê¤¤¤Ç¤¹¤¬¡¢·É°¦¤¹¤ë jovi0608¤µ¤ó¤Îµ­»ö¤äJxck¤µ¤ó¤Îµ­»ö¤Ê¤É¤Ç¤â²òÀ⤵¤ì¤Æ¤¤¤Þ¤¹¡£

»ä¤â3ǯ¤Á¤ç¤¤Á°¡¢IPA¤Î¥¬¥¤¥É¤ò½ñ¤¤¤Æ¤¤¤¿Á°¤¢¤¿¤ê¤«¤é¡¢HPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¡¢²¿¤«¥Ö¥í¥°Åù¤Ç½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤Î¤Ç¤¹¤¬¡¢¤Ê¤ó¤«Æüº¢¤Î¥Ø¥ó¤Ê¤³¤È¤ËË»»¦¤µ¤ì¤Æ¡¢¤³¤ì¤Þ¤Ç¤Þ¤È¤á¤Æ½ñ¤¯¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£(¤Ê¤ó¤«½ñ¤³¤¦¤È»×¤Ã¤Æ¤¿¤éjovi¤µ¤ó¤Î¤¬½Ð¤Á¤ã¤Ã¤Æ¡¢¤Þ¤¡¤¤¤¤¤«¤È»×¤Ã¤Á¤ã¤Ã¤¿¤Ã¤Æ¤¤¤¦¤Î¤â¤¢¤ê¤Þ¤¹w) IPA¤Î¥¬¥¤¥É¤Î»þ¤â½ñ¤«¤»¤Æ¤â¤é¤ª¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢¤Ê¤ó¤À¤«Âç¿Í¤Î»ö¾ð¤ÇÄɲ䵤»¤Æ¤â¤é¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£¤È¤Û¤Û¡£

º£²ó¤Ï¡¢HPKP¤È¤Ï²¿¤«¤È¤¤¤Ã¤¿´ðËÜŪ¤Ê¤³¤È¤Ï¡¢Â¾¤ÎÊý¤Î¥Ö¥í¥°¤Ë¾ù¤ë¤È¤·¤Æ¡¢HPKP¤Î¸½¾õ¤äHPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¥Õ¥©¡¼¥«¥¹¤·¤Æ½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£Ä¹¤¯¤Ê¤ê¤½¤¦¤Ç¤¹¤¬¡¢¤´¤á¤ó¤Ê¤µ¤¤¤Í¡£

·ëÏÀ¤«¤é¸À¤¨¤Ð¡¢ËÜÈÖ¥µ¥¤¥È¤Ç°Â°×¤ËHPKP¤ò»È¤¦¤Î¤Ï¤ä¤á¤¿Êý¤¬¤¤¤¤¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤½¤ì¤Ï¡¢HPKP¤Î»ÅÍͼ«ÂΤ¬±¿ÍѤò¤·¤Ã¤«¤ê¹Í¤¨¤ÆÀ߷פµ¤ì¤Æ¤ª¤é¤º¡¢°ìÈÌŪ¤Ê¥µ¥¤¥È¤Ç¤ÏÂ礷¤¿¥»¥­¥å¥ê¥Æ¥£¾å¤Î¸ú²Ì¤¬Ìµ¤¤³ä¤Ë¡¢Ä¹´ü¤Î±¿ÍѤǥµ¡¼¥Ó¥¹¤òÄ󶡤Ǥ­¤Ê¤¯¤Ê¤ë´ü´Ö¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤¬¹â¤¹¤®¤ë¤·¡¢¾ÚÌÀ½ñ¤Î¥³¥¹¥È¤â;·×¤Ë¤«¤«¤ë¤«¤é¤Ç¤¹¡£

¤ª¤½¤é¤¯¡¢HPKP¤Î±¿ÍѤˤĤ¤¤Æ¿¼¤¯Æͤùþ¤ó¤Ç¤«¤¤¤¿¡¢À¤³¦¤Ç¤Ï½é¤á¤Æ¤Î²òÀâ»ñÎÁ¤«¤Ê¤È»×¤¤¤Þ¤¹¡£¤´¾ÐǼ¤¯¤À¤µ¤¤w

2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê

2011ǯº¢¤«¤é¡¢Ç§¾Ú¶É¤òÂоݤˤ·¤¿¥µ¥¤¥Ð¡¼¹¶·â¤ä¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¤Ê¤É¤Ç¡¢¹¶·â¤ËÍøÍѤ·¤ä¤¹¤¤Google¤äFacebook¤È¤¤¤Ã¤¿Í­Ì¾¥µ¥¤¥È¸þ¤±¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ(*.google.comÅù)¤ò¼èÆÀ¤µ¤ì¤Æ¤·¤Þ¤¦¤È¤¤¤¦»ö·ï¤¬Áý¤¨¤Æ¤­¤Þ¤·¤¿¡£Google¤òÅܤ餻¤Á¤ã¤Ã¤¿¤Î¤Ï2011ǯ¤Î¥ª¥é¥ó¥À¤Îǧ¾Ú¶ÉDigiNotar¤¬ÉÔÀµ¿¯Æþ¤ò¼õ¤±¡¢*.google.com¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¡¢¥¤¥é¥ó¤Î¥×¥í¥Ð¥¤¥À¤ÎÅðÄ°¤ä¹¶·â¤Ë»È¤ï¤ì¤¿¤È¤¤¤¦»ö·ï¤¬¤¢¤ê¤Þ¤·¤¿¡£
hpkp-digi
¤³¤Î¤è¤¦¤Ê»ö·ï¤òËɤ°¤¿¤á¤Ë¤Ï¡¢¥¦¥§¥Ö¥µ¥¤¥È¤ËÂФ·¤Æ¡¢¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤¿¾ì¹ç¤Ë¡¢·Ù¹ð¤òȯ¤¹¤ë»ÅÁȤߤ¬É¬ÍפǤ¹¡£¤½¤³¤Ç³«È¯¤µ¤ì¤¿¤Î¤¬¡¢HPKP¤Ç¤¹¡£HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Î°ìÃפò³Îǧ¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤¿¾ÚÌÀ½ñ¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
hpkp-hpkp1
jovi¤µ¤ó¤Î¥Ö¥í¥°¤Î1¾Ï¤ÇÇطʤȻÅÁȤߤò¤ï¤«¤ê¤ä¤¹¤¯²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤Á¤é¤â¤´Í÷失¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

3. HPKP¤Î»ÅÁȤß

HPKP¤Î¼ÂÁõÊýË¡¤Ë¤Ï2¤Ä¤ÎÊýË¡¤¬¤¢¤ê¤Þ¤¹¡£

  • 1) Google¡¢Facebook¡¢Twitter¤Ê¤É¤Îͭ̾¥µ¥¤¥È¸þ¤±¤Î¡¢Chrome¡¢Firefox¤Ê¤É¥Ö¥é¥¦¥¶¤ËÁȤ߹þ¤Þ¤ì¤¿¥Ô¥ó¤Î¥ê¥¹¥È(Preloaded Known Pinned Host List)¤È¾È¹ç¤¹¤ëÊýË¡
  • 2) HTTPS¤ÇÄÌ¿®¤¹¤ëºÝ¤Ë¡¢¥µ¡¼¥Ð¡¼¤«¤é¥Ô¥ó¾ðÊó¤ÎHTTP¥Ø¥Ã¥À¤ò¼èÆÀ¤·¡¢¤½¤ì¤ò¥Ö¥é¥¦¥¶¤ËÊݴɤ·¤Æ¤ª¤­¡¢°Ê¹ß¤ÎÄÌ¿®¤Ç¾È¹ç¤Ë»È¤¦ÊýË¡
1) ¤ÎÊýË¡¤Ï¡¢¥Ö¥é¥¦¥¶¤òºÇ¿·¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Ê¤é¤Ð²¿¤âÀßÄꤷ¤Ê¤¯¤Æ¤â¡¢Í­Ì¾¤Ê¥µ¥¤¥È¤Ë¤Ä¤¤¤Æ¤ÏHPKP¤ò»È¤Ã¤Æ°ÂÁ´¤ËÀܳ¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£º£²ó¤Îµ­»ö¤ÇµÄÏÀ¤·¤¿¤¤¤Î¤Ï2)¤Î¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤¬ÀßÄꤹ¤ë¾ì¹ç¤Ë¤Ä¤¤¤Æ¤Ê¤Î¤Ç¡¢2)¤Î»ÅÁȤߤˤĤ¤¤ÆÀâÌÀ¤·¤Þ¤¹¡£
hpkp-sethead
¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËÉÔÀµ¤Ê¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ËÀܳ¤µ¤»¤Ê¤¤¤¿¤á¤ÎHPKP HTTP¥Ø¥Ã¥À¤òÀßÄꤹ¤ë¤Î¤Ç¤¹¤¬¡¢¤³¤ì¤Ï¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄê¤Ç»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¤«¤éSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Þ¤Ç¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¡£HTTP¥Ø¥Ã¥À¤È¤½¤ÎÃͤνñ¼°¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
Public-Key-Pins: \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤«¤ÎSHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤SHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡[pin-sha256="¤½¤Î¾¥Ï¥Ã¥·¥åÃÍ1"; ...; ] \ ¡¡¡¡max-age=¥Ö¥é¥¦¥¶¤Ë¤³¤ÎHPKP¥Ø¥Ã¥À¤¬Êݴɤµ¤ì¤ëÉÿô; \ ¡¡¡¡[includeSubDomain;] \¡¡¡¡¡¡¡¡¥µ¥Ö¥É¥á¥¤¥ó(example.com¤Ê¤ésub.example.com)¤âHPKP¤ÎÂоݤˤ¹¤ë¤« ¡¡¡¡[report-uri="JSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤¬POST¤µ¤ì¤ëURL"; ] [...]¤Ï¥ª¥×¥·¥ç¥ó
  • pin-sha256¤Ï¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¤¬¡¢¤½¤ÎÀßÄêÊýË¡¤ä¹Í»¡¤Ë¤Ä¤¤¤Æ¤Ï¸å¤Ç½Ò¤Ù¤Þ¤¹¡£
  • max-age¤ÎÊݸ´ü´Ö¤ÏRFC¤Î4.1Àá¤Ç¹Í»¡¤·¤Æ¤ª¤ê60Æü(=5184000ÉÃ)¤¬Îɤ¤¤Î¤Ç¤Ï¡©¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¹Í»¡¤â¸å¤Ç½Ò¤Ù¤µ¤»¤Æ²¼¤µ¤¤¡£
  • includeSubDmain¤Ï¡¢¥µ¥Ö¥É¥á¥¤¥ó¤Þ¤Ç´Þ¤á¤ë¤«¡¢Î㤨¤Ð example.com ¤ËHPKP¤òÀßÄꤷ¤¿¤é¡¢sub1.example.com¤â¡¢www1.sub2.example.com¤âHPKP¤ÎÂоݤˤ¹¤ë¤È¤¤¤¦¥Õ¥é¥°¤Ç¤¹¡£¸½»þÅÀ¤Ç»ý¤Ã¤Æ¤¤¤Ê¤¤¤Ê¤é°Â°×¤ËÀßÄꤷ¤Ê¤¤Êý¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£
  • HPKP¤Ï¡¢CSP¤Ê¤É¤ÈƱÍͤˤ˥֥饦¥¶Â¦¤Ç¸¡¾Ú¤¹¤ë¤Î¤Ç¡¢¥µ¡¼¥Ð¡¼Â¦¤Ë¤Ï¥¨¥é¡¼¸¶°ø¤¬ÇÄ°®¤Ç¤­¤ºº¤¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£report-uri¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÇHPKP¤Î¥¨¥é¡¼¤¬È¯À¸¤·¤¿ºÝ¤Ë¡¢»ØÄꤷ¤¿URL¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËJSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤òPOST¤¹¤ë¤³¤È¤ÇÁ÷¿®¤·¤Þ¤¹¤Î¤Ç¡¢ÀßÄê¾å¤ÎÌäÂê¤òÃΤë¤Î¤ËÌòΩ¤Ä¤«¤â¤·¤ì¤Þ¤»¤ó¡£Jxck¤µ¤ó¤Î¥Ö¥í¥°¤ÇÀßÄê¤ò»î¤·¤Æ¤ß¤¿¤È¤¤¤¦¾Ü¤·¤¤Êó¹ð¤¬¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¤´Í÷¤Ë¤Ê¤ë¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£¥Ö¥í¥°¤Ç¤â½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥ì¥Ý¡¼¥È¤¬½ÐÎϤµ¤ì¤ë¾ò·ï¤¬¤è¤¯¤ï¤«¤é¤º¡¢¥Ö¥é¥¦¥¶¤ä¥Ð¡¼¥¸¥ç¥ó¤Ë¤â°Í¸¤¹¤ë¤è¤¦¤Ç¡¢»ä¤â¥ì¥Ý¡¼¥ÈÀ¸À®¤¬¤¦¤Þ¤¯¤Ç¤­¤Æ¤¤¤Þ¤»¤ó¡£
¤Þ¤¿¡¢HTTP¥Ø¥Ã¥À¤Ë¤Ä¤¤¤Æ "Public-Key-Pins" ¤Ç¤Ï¤Ê¤¯¡¢"Public-Key-Pins-Report-Only" ¤ÈÀßÄꤹ¤ì¤Ð¡¢¥Ö¥é¥¦¥¶¤Ç¤Ï¥¨¥é¡¼¤òȯÀ¸¤µ¤»¤ë¤³¤È¤Ê¤¯¡¢¥¨¥é¡¼¥ì¥Ý¡¼¥È¤Î¼ý½¸¤Ï¤Ç¤­¤Þ¤¹¤Î¤Ç¡¢¥Æ¥¹¥È¤ÎºÝ¤Ë¤³¤ì¤ò»È¤¦¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£

4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡

pin-sha256°À­¤ò»È¤Ã¤Æ¥Ô¥ó¤òÀßÄꤹ¤ë¤³¤È¤Ë¤è¤ê¡¢¥µ¡¼¥Ð¡¼¥ª¡¼¥Ê¡¼¤¬°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤ë¤³¤È¤òËɤ°¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¥Ô¥ó¤ÎÃͤϡ¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¤Î²¿¤ì¤«¤Î¾ÚÌÀ½ñ¤Ë°ìÃפ¹¤ë¤â¤Î¤òºÇÄã°ì¤Ä¡¢ ¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤¤â¤Î¤òºÇÄã°ì¤Ä¤Î·×2¤Ä°Ê¾å¤Ë¤è¤ê¹½À®¤µ¤ì¤Þ¤¹¡£
hpkp-intersect

4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡

¤µ¤Æ¡¢°ìÈÖ´Êñ¤Ê¥Ï¥Ã¥·¥åÃͤμèÆÀÊýË¡¤Ç¤¹¤¬¡¢¤¹¤Ç¤Ë¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄ꤬´°Î»¤·¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢Scott Helme»á¤ÎHPKP¥Ï¥Ã¥·¥å¤Î½êÆÀ¥Ú¡¼¥¸¤òÍøÍѤ¹¤ë¤Î¤¬Îɤ¤¤Ç¤¹¡£¼«Ê¬¤Î¤Ç¤â¾¿Í¤Î¤Ç¤âHTTPS¥µ¥¤¥È¤ÎURL¤òÆþÎϤ¹¤ì¤Ð¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î³Æ¾ÚÌÀ½ñ¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤Þ¤¹¡£
index
SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤«¤é½ç¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Þ¤Ç¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤ¬

pin-sha256="hUIG87ch71EZQYhZBEkq2VKBLjhussUw7nR8wyuY7rY="
¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢¤É¤Î¥Ô¥ó¤ò»È¤¦¤Î¤«¤ò·è¤á¤ÆHTTP¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¤À¤±¤Ç¤¹¡£

°ì¤Ä¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤη׻»¤Ç¤¹¤¬¡¢¾ÚÌÀ½ñ¤«¤é¤Ç¤â¡¢¾ÚÌÀ½ñȯ¹ÔÍ×µá(CSR/PKCS#10)¤Ç¤â¡¢ ÈëÌ©¸°¤È¸°¥¢¥ë¥´¥ê¥º¥à¤Ë¤è¤Ã¤Æ¤Ï¸°¥Ñ¥é¥á¡¼¥¿¡¼¤«¤éÃê½Ð¤µ¤ì¤¿PKCS#8¸ø³«¸°¤«¤é¤Ç¤â¥Ï¥Ã¥·¥åÃͤò·×»»¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤¿¤À¡¢¤¤¤í¤ó¤Ê¿Í¤Î¥Ö¥í¥°¤Ç¤Ï¡¢¤ï¤¶¤ï¤¶CSR¤òºî¤Ã¤Æ¤«¤é¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢Æä˾ÚÌÀ½ñ¤Î¤Þ¤À̵¤¤¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¾ì¹ç¤Ë¤Ï¡¢ ¤½¤ó¤Ê¤³¤È¤ò¤·¤Ê¤¯¤È¤â¡¢¸ø³«¸°¤«¤é¥Ï¥Ã¥·¥å·×»»¤¹¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ Àè¤Û¤É¤ÈƱÍͤˡ¢Scott Helme»á¤Î¥Ä¡¼¥ë¤ÇPEM·Á¼°¤ÎPKCS#8¸ø³«¸°¡¢CSR¡¢X.509¾ÚÌÀ½ñ¤òÆþÎϤ¹¤ì¤Ð¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤ë¥Ú¡¼¥¸¤¬¤¢¤ë¤Î¤Ç¡¢¤³¤ì¤ò»È¤¦¤Î¤¬´Êñ¤Ç¤¹¡£

¼êºî¶È¤Ç¥Ô¥ó¤ò¼èÆÀ¤¹¤ë¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤ò¼Â»Ü¤¹¤ì¤Ð¸ø³«¸°¤ÎSHA256¥Ï¥Ã¥·¥å¤Ç¤¢¤ë¥Ô¥ó¤ÎÃͤ¬¼èÆÀ¤Ç¤­¤Þ¤¹¡£Â¾¤Î²òÀâµ­»ö¤Ç¤Ï¡¢base64¥³¥Þ¥ó¥É¤ò»È¤Ã¤¿¤ê¡¢CSR¤ò¤¤¤Á¤¤¤ÁÀ¸À®¤¹¤ë¤Î¤ò¶¯À©¤µ¤»¤¿¤ê¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¤³¤³¤Ç¾Ò²ð¤¹¤ëÊýË¡¤ÏOpenSSL¥³¥Þ¥ó¥É¤·¤«»È¤ï¤º¡¢¤¤¤í¤¤¤í¤Ê¥±¡¼¥¹¤ËÂбþ¤·¤Æ¡¢¥Ô¥ó¤Î¼èÆÀ¤¬¤Ç¤­¤ë¤è¤¦¤Ë¡¢Îã¤ò¼¨¤·¤Æ¤ª¤­¤Þ¤·¤¿¡£

X.509¾ÚÌÀ½ñ¤«¤ésubjectPublicKeyInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl x509 -in PEM¾ÚÌÀ½ñ -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= CSR¤«¤ésubjectPKInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl req -in PEMCSR¥Õ¥¡¥¤¥ë -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8ÈëÌ©¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -in PKCS#8ÈëÌ©¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8¸ø³«¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -pubin -in PKCS#8¸ø³«¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= ÆÀ¤é¤ì¤¿Ãͤò pin-sha256="te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU=" ¤Î¤è¤¦¤Ë¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¡£
Ãͤò¼èÆÀ¤·¤¿¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTP¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢Apache HTTP Server¤Î¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤ËÀßÄꤷ¤Þ¤¹¡£
<VirtualHost _default_:443> ... Header set Public-Key-Pins \ "pin-sha256=\"MRnxhYBVCMAxZHwalTJ7ZVl6P2005lll4ttWr+RN1Ro=\"; \ pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; \ max-age=2592000; \ report-uri=\"https://report.example.com\"" ... Æɤߤ䤹¤µ¤Î¤¿¤á¤Ë¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤È²þ¹Ô¤òÆþ¤ì¤Æ¤¤¤Þ¤¹¡£2592000ÉäÏ30Æü¤Ç¤¹¡£

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ò1¤Ä°Ê¾åÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ËÜÀá¤Ç¤Ï¡¢¼¡¤Î2¤Ä¤Ëʬ¤±¤Æ¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

  • 1) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¤É¤ì¤«°ì¤Ä¤Î¤ß¤òÁªÂò¤¹¤ë¾ì¹ç¤ÎÈæ³Ó¸¡Æ¤
  • 2) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î2¤Ä°Ê¾å¡¢¤Þ¤¿¤ÏÁ´Éô¤òÁªÂò¤¹¤ë¾ì¹ç¤Î¹Í»¡

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ç¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¤è¤¦¤Ê3ÃʤξÚÌÀ½ñ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ÉÔÀµ¤Ê°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤¿¤á¤Ë¡¢ ¤É¤ì¤«°ì¤Ä¤Î¥Ô¥ó¤òÁª¤Ö¤È¤¹¤ì¤Ð¡¢¤É¤ì¤òÁª¤Ù¤ÐÎɤ¤¤Ç¤·¤ç¤¦¤«¡£ ¤³¤ì¤é3¤Ä¤Î¥±¡¼¥¹¤Ç¡¢¤½¤ì¤¾¤ìĹ½ê¡¢Ã»½ê¤¬¤¢¤ë¤Î¤Ç¡¢¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤Ï¡¢¿ôǯ¸å¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¢¤é¤«¤¸¤á·è¤Þ¤Ã¤Æ¤¤¤ë¾ì¹ç(=¸°»öÁ°À¸À®)¡¢·è¤Þ¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç(=¸°»öÁ°À¸À®¤Ê¤·)¤Î¥±¡¼¥¹¤Ëʬ¤±¤Æ¹Í»¡¤·¤Þ¤¹¡£

¾ÚÌÀ½ñĹ½êû½ê°ÂÁ´À­±¿ÍÑÉéô
­¡¥ë¡¼¥ÈCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬Ä¹¤¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯10ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • ¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥É¥Ô¥ó¤Ç¤Ï¥ë¡¼¥È¾ÚÌÀ½ñ¤ò»ÈÍÑ
  • ¸°¹¹¿·¸å¤Î¸ø³«¸°¤Ï»öÁ°¤Ë¤Ï¤ï¤«¤é¤º¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Ï»È¤¨¤Ê¤¤
  • ¿·¤·¤¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò¹ØÆþ¤·¤¿¾ì¹ç¤Ë¡¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¤È¤Ï¸Â¤é¤º¡¢¤½¤ÎºÝ¤Ï¥Ô¥ó¤Î°Ü¹Ô¤¬É¬Í×
  • ¥ë¡¼¥È¾ÚÌÀ½ñÇÛ²¼¤Î¾ÚÌÀ½ñ¤Î¿ô¤ÏÈó¾ï¤Ë¿¤¯¡¢¤½¤Îǧ¾Ú¶É¤¬ÉÔÀµ¤Ê¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¡¢¹¶·â¤òËɤ²¤Ê¤¤¥ê¥¹¥¯¤Ï¹â¤¤¡£Î㤨¤Ð¡¢¥·¥Þ¥ó¥Æ¥Ã¥¯¼Ò¤¬Google¤Ëµö²Ä¤Ê¤¯Google¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ö·ï¤¬¤¢¤Ã¤¿¡£
  • ¾ÚÌÀ½ñ¹¹¿·¤Ç¥ë¡¼¥ÈCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤ÏÄ㤤¤¬¡¢Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
Äã¹â
­¢Ãæ´ÖCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬¤ä¤äŤ¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¼ã´³¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯5ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • °ÂÁ´À­¤È±¿ÍÑÉéô¤ÎÌ̤ǥХé¥ó¥¹¤¬¼è¤ì¤Æ¤¤¤ë¤«¡©
  • ¥Ô¥ó¤¹¤ëÃæ´ÖCA¤Î¸ø³«¸°¤ËÊѹ¹¤¬¤Ê¤«¤Ã¤¿¾ì¹ç¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÏÈæ³ÓŪ³Ú
  • ¥Ô¥ó¤·¤Æ¤¤¤ëÃæ´ÖCA¤Î¸ø³«¸°¤¬¡¢¼¡²ó¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¹¹¿·»þ¤ËƱ¤¸¤Ç¤¢¤ë¤È¤¤¤¦ÊݾڤϤʤ¤¡£
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ë¤¬¡¢¤½¤ì¤¬»öÁ° ¼þÃΤµ¤ì¤Ê¤¤¤¿¤á¤Ë¡¢SSLÀܳÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤¬¹â¤¤
  • Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Î°Ü¹Ô¤Ë·¸¤ë±¿ÍÑÉéô¤Ï¡¢²ó¿ô¤â¡¢ºî¶ÈÉé²Ù¤â Èó¾ï¤Ë¹â¤¤
  • Ʊ¤¸Ãæ´ÖCA¤«¤é¡¢ÉÔÀµ¤ËƱ¤¸¥É¥á¥¤¥ó¤ËÂФ¹¤ë¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¤â¸¡¾ÚÍ­¸ú¤È¤Ê¤Ã¤Æ¤·¤Þ¤¦¥ê¥¹¥¯¤¬¤¢¤ë¡£­¡¤è¤ê¤Ï¥ê¥¹¥¯¤ÏÄ㤤¤¬¡¢­£­¤¤è¤ê¤Ï¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÇÃæ´ÖCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤Ï¤¢¤ëÄøÅÙ¤¢¤ê¡¢­¡¤è¤ê¤Ï³ÎΨ¤¬¹â¤¤¡£Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
̾̾
­£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®)
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¥Ô¥ó¤·¤¿¸ø³«¸°¤Î¥Þ¥Ã¥Á¥ó¥°ÀßÄê¤Ë¼ºÇÔ¤¹¤ë²ÄǽÀ­¤¬Ä㤯¡¢HPKPÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤ÏºÇ¤âÄ㤤
  • HPKP¤ÎRFC¤Ç¤Ï¡¢(¤µ¤é¤Ã¤È´Êñ¤Ë¤Ç¤­¤ë¤È¼è¤ì¤ë¤è¤¦¤Êµ­½Ò¤¬¤µ¤ì¤Æ¤ª¤ê)¿ä¾©¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ë¼è¤ì¤ëÊýË¡
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¡¢Êѹ¹¤µ¤ì¤ë¥Ô¥ó¤¬¤¢¤é¤«¤¸¤á¤ï¤«¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢(max-ageÆâ¤ËºÆÅÙ¾ÚÌÀ½ñ¹¹¿·¤ò¤¹¤ë¤³¤È¤ò¤·¤Ê¤±¤ì¤Ð)max-age¤ò¤¢¤Þ¤êµ¤¤Ë¤»¤º¤Ë¾ÚÌÀ½ñ¤Î¹¹¿·¤¬¤Ç¤­¤ë
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¸°¥Ú¥¢¤Î»öÁ°À¸À®¤¬²Äǽ¤Ê¤Î¤Ï¡¢OpenSSLÅù¤Ë¤è¤ê¼êºî¶È¤Ç¸°¥Ú¥¢À¸À®¤·¤¿¾ì¹ç¤Î¤ß¤Ç¤¢¤ê¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô»þ¤Ë¡¢CSR¤ò¼«Á°¤ÇÀ¸À®¤¹¤ëɬÍפ¬¤Ê¤¯¡¢¥Ö¥é¥¦¥¶¤Î¥³¥ó¥Ý¡¼¥Í¥ó¥È¤Ç¼«Æ°Åª¤Ë¸°¥Ú¥¢À¸À®¤¹¤ë¤è¤¦¤Ê¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Î¾ì¹ç¤Ë¤Ï¡¢ËÜÊý¼°¤Ï»È¤¨¤Ê¤¤
  • Let's Encrypt¤Ï»È¤¨¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¼«Æ°¹¹¿·¤Ë·¸¤ë±¿ÍÑÉéô¤Î·Ú¸º¤Ï¸«¹þ¤á¤Ê¤¤
  • ¸°¥Ú¥¢¤Ï°ìÈ̤ˡ¢¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¹Ô¤ï¤ì¤ë¤â¤Î¤À¤¬¡¢¤½¤ì¤ò2ǯÄøÅÙÁ°¤Ë¼Â»Ü¤¹¤ë¤³¤È¤Ë¤Ê¤ë¡£»öÁ°À¸À®¤·¤Æ¤ª¤¯¤È¡¢¤½¤Îʬ¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤Ï¹â¤¯¡¢µ¡Ì©Êݴɤα¿ÍÑÉéô¤ÏÂ礭¤¤
  • ¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¡¢¤½¤ì¤Ê¤ê¤ËÀßÄêÊѹ¹¤Ëµ¤¤ò»È¤¦É¬Íפ¬¤¢¤ë¡£¤Þ¤¿¡¢¤½¤Î²ó¿ô¤â2ǯ¼åÄøÅÙ¤ª¤­¤Ç¤¢¤ê¡¢±¿ÍÑÉéô¤ÏÈæ³ÓŪ¹â¤¤
̾̾
­¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®¤Ê¤·)
  • Á´¤Æ¤ò¼«¸ÊÀ©¸æ¤Ç¤­¡¢ÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤Ï­£¤ÈƱÄøÅ٤˹⤤
  • ­£¤ËÈæ¤Ù¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤âÄ㤤
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤¨¤ë´ü´Ö¤¬¡¢É¬¤º (max-age + ¦Á)¡ß2 ʬ¤À¤±¸º¤ë¡£2ǯʪ¾ÚÌÀ½ñ¤Î¾ì¹ç¡¢max-age¤ò2¥ö·î¤È¤·¤¿¾ì¹ç¡¢¥Æ¥¹¥È¤ä;͵¤â´Þ¤á4¡Á5¥ö·îÄøÅÙ¤Ïû¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¡¢¾ÚÌÀ½ñ¤ÎÈñÍÑÉéô¤¬Áý¤¨¤ë
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age+¦Á¤Ç¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤µ¤»¤ì¤Ð¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤Ê¤¬¤é¥Ô¥ó¤ÎÊѹ¹¤ò¹Ô¤¦¤³¤È¤Ë¤Ê¤ë¡£±¿ÍѤÎÉéô¤Ï¤¢¤ë¤¬¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤«Ç§¾Ú¶É¼¡Âè¤Ç¤É¤¦¤Ê¤ë¤«¤ï¤«¤é¤Ê¤¤­¡­¢¤ËÈæ¤Ù¤Æ¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKPÀßÄêÊѹ¹¤Î¥¹¥±¥¸¥å¡¼¥ë¤¬ÁȤá¤ë¤Î¤Ç¡¢Äê·¿±¿ÍѤˤǤ­¤ë¤¿¤á±¿ÍѤο´ÍýŪÉéô¤Ï­¡­¢¤è¤ê¤Ï¼ã´³¾¯¤Ê¤¤
  • ¹âÃæ
    ¤Ç¤Ï¡¢­¡¡Á­¤¤Ç¤Ï¡¢²¿¤òÁªÂò¤¹¤ë¤«¤Ç¤¹¤¬¡¢¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥Ô¥ó¤¬»È¤¨¤Ê¤¤°ìÈÌ¥µ¥¤¥È¤Î¾ì¹ç¤Ï¡¢ ­¢¡Á­£¤Î¤¤¤º¤ì¤«¤¬ÂÅÅö¤À¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤ì¤â±¿ÍѤÎÉéô¤ä¡¢¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ê¡¢ ¸Ä¿Í¤¬¥Æ¥¹¥ÈÌÜŪ¤ÇÀßÄꤹ¤ë¾ì¹ç¤Ï²¿¤Ç¤âÎɤ¤¤È¤·¤Æ¡¢ ¼«Ê¬¤¬¾¦ÍÑ¥µ¥¤¥È¤Î±¿ÍѤòǤ¤µ¤ì¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢¤â¤Ã¤È¤â·üÇ°¤¹¤Ù¤­¤Ï Ĺ´ü´Ö¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ê¥¯¥ì¡¼¥à¤¬µ¯¤­¤ë¤³¤È¤Ê¤Î¤Ç¡¢ HPKP¤Ï»È¤ï¤Ê¤¤¤È¤¤¤¦È½ÃǤò¤¹¤ë¤È»×¤¤¤Þ¤¹¡£

    4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡

    4.2Àá¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¤Ç¡¢ ¤É¤Î¤è¤¦¤Ê°ã¤¤¤¬¤¢¤ë¤Î¤«¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤Þ¤·¤¿¡£

    ËÜÀá¤Ç¤Ï¡¢4.2Àá¤Î¹Í»¡¤ò¼õ¤±¤Æ¡¢ÀßÄêÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹ÍøÍÑÉÔǽ¤ò Ëɤ®¤Ê¤¬¤é¡¢HPKP¤ò»È¤Ã¤¿¥µ¥¤¥È¤Î¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥À¤ÎÊѹ¹¤ò¡¢¤É¤Î¤è¤¦¤Ë±¿ÍѤ¹¤ì¤Ð¤è¤¤¤Î¤«¤Ë¤Ä¤¤¤Æ ¹Í»¡¤·¤Þ¤¹¡£

    HPKP¤ò»È¤Ã¤¿¾ì¹ç¤Î¾ÚÌÀ½ñ¹¹¿·¤Î±¿ÍѤλÅÊý¤Ï4¤Ä¤Î¥±¡¼¥¹¤Ë¤ï¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

    • a)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë³Îǧ¤·¡¢¥Ô¥ó¤ò¹Ô¤Ã¤Æ¤¤¤ë¸°¤ËÊѹ¹¤¬¤Ê¤¤¾ì¹ç
    • b)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤Ã¤Æ¤¤¤ë¾ì¹ç
    • c)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤ë¾ì¹ç
    • d)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤Ê¤¤¾ì¹ç
    ¤³¤Î¤è¤¦¤ÊÀâÌÀ¤Ç¤Ï¡¢¶ñÂÎŪ¤Ê¥¤¥á¡¼¥¸¤¬¤ï¤«¤Ê¤¤¤È»×¤¤¤Þ¤¹¤Î¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¾ÚÌÀ½ñ¤Ëʬ¤±¤Æ¶ñÂÎÎã¤ò¼¨¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    • a-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Ë¤ÏÊѹ¹¤¬¤Ê¤¤¤³¤È¤¬¤ï¤«¤Ã¤¿¾ì¹ç¡£(¸ÜµÒ¥µ¥Ý¡¼¥È¤Ë±³¤ò¤Ä¤«¤ì¤¿¤é¡¢°ìÉô¥æ¡¼¥¶¤Ë2¥ö·î(=max-age)¥µ¡¼¥Ó¥¹¾ã³²¤Ë¤Ê¤ë¥ê¥¹¥¯¤¢¤ê¡£)
      hpkp-move1
    • b-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬¤É¤ì¤ËÊѹ¹¤µ¤ì¤ë¤«¶µ¤¨¤Æ¤â¤é¤¨¤¿¾ì¹ç¡£¤â¤·¤¯¤Ï¥µ¥Ý¡¼¥È¥Ú¡¼¥¸¤Ê¤É¤Ç¹ðÃΤµ¤ì¤Æ¤¤¤ë¾ì¹ç¡£¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤ÎÊѹ¹¡¢EV¤Ø¤ÎÊѹ¹¤Ê¤É¤âƱÍÍ¡£
      hpkp-move-b1
    • b-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢OpenSSLÅù¤Ç¼¡²ó¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¹¤Ç¤Ë»öÁ°À¸À®¤µ¤ì¡¢Êݴɤµ¤ì¤Æ¤¤¤ë¾ì¹ç
      hpkp-move-b2
    • c-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢¼¡²ó¾ÚÌÀ½ñ¹¹¿·¸å¤Î¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÊѹ¹¤Ë¤Ä¤¤¤Æ¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤«¤é¤Î²óÅú¤¬ÆÀ¤é¤ì¤º¡¢Êѹ¹¤µ¤ì¤ë¤«¤É¤¦¤«È½ÃǤ¬¤Ä¤«¤Ê¤¤¤¿¤á¡¢»ÅÊý¤Ê¤¯¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤·¤¿¤é¡¢¤ä¤Ï¤ê¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÏÊѹ¹¤Ë¤Ê¤Ã¤Æ¤¤¤¿¾ì¹ç(Êѹ¹¤¬¤Ê¤±¤ì¤Ða-1¤Î¥±¡¼¥¹¤È¤Ê¤ë¡£)
      hpkp-move-c1
    • c-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢OpenSSL¤ò»È¤ï¤º¡¢¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Ç¸°¥Ú¥¢À¸À®¤¹¤ë¥¿¥¤¥×¤Îǧ¾Ú¶É¤Ç¤¢¤ë¤¿¤á¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç
      hpkp-move-c2
    • c-3) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢HSMµ¡Ç½¤ò»È¤¦SSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤ª¤ê¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç¡£°Ü¹Ô¤Î¿Þ¤Ïc-2¤ÈƱ¤¸¤Ë¤Ê¤ê¤Þ¤¹
    • d-1) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢Let's Encrypt¤ä°ìÉô¤Îǧ¾Ú¶É¤Î¤è¤¦¤Ë¡¢¾ÚÌÀ½ñ¹¹¿·¸å¡¢Á°¤Î¾ÚÌÀ½ñ¤Ï¨»þ¤Ë¼º¸ú½èÍý¤¬¤µ¤ì¡¢max-age + ¦Á¤Î´ü´Ö¤ÎÍ­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬¤Ç¤­¤Ê¤¤¾ì¹ç
      hpkp-move-d1
    ¼«Ê¬¤Î±¿ÍѤ¬¤É¤Î¥±¡¼¥¹¤Ë¤¢¤Æ¤Ï¤Þ¤ë¤«¡¢¾åµ­¤ÎÀâÌÀ¤Ç¤ï¤«¤Ã¤¿¤Ç¤·¤ç¤¦¤«¡£¤µ¤Æ¡¢a¡Ád¤Î¥±¡¼¥¹¤Ç¡¢¤É¤Î¤è¤¦¤ËÂбþ¤¹¤ë¤«¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹¡£
    • a¤ÎÂбþ) ¾ÚÌÀ½ñ¹¹¿·¤ËºÝ¤·¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄê¤ÏÊѹ¹¤·¤Ê¤¯¤Æ¤è¤¤
    • b¤ÎÂбþ) max-age¤ò¤Ï¤¢¤Þ¤êµ¤¤Ë¤»¤º¡¢¾ÚÌÀ½ñ¹¹¿·¸å¤Î¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¾ÚÌÀ½ñÀßÄê¡¢HPKP¥Ø¥Ã¥À¤òÀßÄêÊѹ¹¤·¤Æ¤è¤¤
    • c¤ÎÂбþ) ¤â¤Ã¤È¤â¿À·Ð¤ò¸¯¤¦¡¢max-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄ꤬ɬÍס£¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎÁ°¸å¤Ç¡¢Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Í×
    • d¤ÎÂбþ) ¤³¤Î¥±¡¼¥¹¤Ç¤ÏHPKP¤Ï»È¤¨¤Ê¤¤¡£Â¾¤Î¾ÚÌÀ½ñ¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ø¤Î¥Ô¥óÀßÄê¤ÎÊѹ¹¤ò¸¡Æ¤¤¹¤ëɬÍפ¬¤¢¤ë¡£»È¤Ã¤Æ¤â¡¢°ìÉô¥æ¡¼¥¶¤Ë¥µ¡¼¥Ó¥¹ÀܳÉÔǽ¾ã³²¤¬max-ageÄøÅÙȯÀ¸¤¹¤ë¡£
    ¤É¤ó¤Ê¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄê¤Î°Ü¹Ô¤ò¹Ô¤¦¤Ë¤·¤Æ¤â¡¢¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¡¢max-age¡¢ÈëÌ©¸°¤ÎÊݴɤʤɡ¢ÍÍ¡¹¤Ê¤³¤È¤Ëµ¤¤ò¸¯¤¤¤Ê¤¬¤é¡¢°Ü¹Ô·×²è¤òΩ¤Æ¡¢°Ü¹Ô¤·¤Ê¤¤¤È¤Ê¤é¤º¡¢¤­¤Á¤ó¤È¹Í¤¨¤Ê¤¤¤ÈĹ´ü¤Î¥µ¡¼¥Ó¥¹¾ã³²È¯À¸¤¹¤ë¤È¤¤¤¦±¿ÍѾå¤ÎÉéô¤ä¥ê¥¹¥¯¤ÏÂ礭¤¤¤È»×¤¤¤Þ¤¹¡£

    4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¿Ì¾¤Î¤¤¤±¤Æ¤Ê¤µ

    Àè¤Ë½Ò¤Ù¤¿¤è¤¦¤Ë¡¢²¿¤«°ì¤Ä¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¥Ô¥ó¤òɬ¤º´Þ¤á¤Ê¤±¤ì¤Ð¤¤¤±¤Þ¤»¤ó¡£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤ò¤¹¤ë¾ì¹ç¤Ï¡¢¸½ºß»È¤Ã¤Æ¤¤¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤ËÂФ·¤Æ¡¢¾­Íè¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç»È¤¦Í½Äê¤ÎÈëÌ©¸°¤â»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤±¤ë¤Ê¤é¡¢¤½¤Î¸ø³«¸°¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤·¤ÆÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢¤Þ¤µ¤·¤¯¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»ÈÍѤǤ­¡¢(¸å½Ò¤ÎÌäÂꤢ¤ê¤¢¤ê¤Ç¤¹¤¬)¥¹¥à¡¼¥¹¤Ê¾ÚÌÀ½ñ¤È¥Ô¥ó¤Î°Ü¹Ô¤¬²Äǽ¤Ç¤¹¡£

    ¤·¤«¤·¤Ê¤¬¤é¡¢ÈëÌ©¸°¤ò°Ü¹ÔÀè¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»öÁ°À¸À®¤·¤Æ¤ª¤­¡¢¤³¤ì¤¬ÍøÍѤǤ­¤ë¤È¤¤¤¦¥±¡¼¥¹¤Ï¥ì¥¢¥±¡¼¥¹¤Ç¤¹¡£Î㤨¤Ð°Ê²¼¤Î°ìÈ̤˵¯¤³¤ê¤¦¤ë¥±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë¡¢¤½¤Î»öÁ°À¸À®¤·¤¿ÈëÌ©¸°¤ò»ÈÍѤ¹¤ë¤³¤È¤Ï¤Ç¤­¤Þ¤»¤ó¡£

    CA¾ÚÌÀ½ñ¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×Pin
    ǧ¾Ú¶É¤¬¹Ô¤¦¾ÚÌÀ½ñ¹¹¿·¤â¤·¤¯¤Ï¸°¹¹¿·¤Ë¤ª¤¤¤Æ¡¢»öÁ°¤Ë°Ü¹ÔÀè¤ÎÈëÌ©¸°¤¬Â¸ºß¤¹¤ë¤È¤¤¤¦¤³¤È¤â¤¢¤ê¤Þ¤»¤ó¤·¡¢°Ü¹ÔÀè¤Î¸ø³«¸°¤ÎPin¤ò¥æ¡¼¥¶¤Ë¸ø³«¤·¤Æ¤¯¤ì¤ëǧ¾Ú¶É¤â¤¢¤ê¤Þ¤»¤ó¡£
    HSM¤ò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×
    ǧ¾Ú¶É¤äSSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤¤¤ë¥±¡¼¥¹¤Ç¤Ï¡¢ÈëÌ©¸°¤ò¼è¤ê½Ð¤·ÉÔ²Äǽ¤Ê¥Ï¡¼¥É¥¦¥§¥¢¥»¥­¥å¥ê¥Æ¥£¥â¥¸¥å¡¼¥ë(HSM)¤Ç´ÉÍý¤¹¤ë¤Î¤¬°ìÈÌŪ¤Ç¤¹¡£HSM¤ò»ÈÍѤ·¤¿¸°¹¹¿·¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»öÁ°¤ËÈëÌ©¸°¤ò´ö¤Ä¤«À¸À®¤·¤Æ¤ª¤­¡¢¹¹¿·»þ¤Ë¤½¤ì¤ò»ØÄꤷ¤Æ¹¹¿·¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£¹¹¿·»þ¤Ë¤Ï¡¢¿·¤¿¤Ë¸°¥Ú¥¢¤òÀ¸À®¤·¤Æ¡¢¤³¤ì¤ò»ÈÍѤ·¤Þ¤¹¡£¤³¤Î¤¿¤á¤Ë¡¢Ç§¾Ú¶É¤Ç¤Ï¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤ò¸ø³«¤¹¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤Î¤Ç¤¹¡£
    ¥¦¥§¥Ö²èÌ̤Ǹ°¥Ú¥¢À¸À®¤·¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¾ì¹ç
    ǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤Ï¡¢¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤ò»ÈÍѤ·¤Æ¡¢¥Ü¥¿¥ó¤ò²¡¤»¤Ð¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤ò¹Ô¤¤¡¢¤³¤ì¤òÍѤ¤¤Æ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò³ÊǼ¤¹¤ë¤â¤Î¤¬¤¢¤ê¤Þ¤¹¡£¤½¤Î¤è¤¦¤Êǧ¾Ú¶É¤Ç¤Ï¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤¤¤¿¸°¤òȯ¹Ô»þ¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    Let's Encrypt¤ò»È¤¦¾ì¹ç
    ̵ÎÁ¤ÇÀ¤³¦°ì¤Îȯ¹Ô¿ô¤ò¸Ø¤ë¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ç¤¢¤ëLet's Encrypt¤Ç¤Ï¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô¥×¥í¥»¥¹¤¬¥¹¥¯¥ê¥×¥È¤Ë¤è¤ê¼«Æ°²½¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤³¤ì¤â¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤µ¤ì¤ë¤Î¤Ç¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤¤¤¿¸°¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    ËÜÅö¤Î°ÕÌ£¤Ç¤Î¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤¬»È¤¨¤ë¤Î¤Ï¡¢°Ê²¼¤Î¾ì¹ç¤Ë¤Î¤ß²Äǽ¤Ç¤¢¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£
    • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËÂФ·¤ÆPin¤ò¤¹¤ë¾ì¹ç¤Ç¡¢¤«¤Ä¡¢
    • OpenSSL¤Ê¤É¤Î¥³¥Þ¥ó¥É¤Ç¸°¥Ú¥¢À¸À®¤·¡¢¥Þ¥Ë¥å¥¢¥ë¤Ç¾ÚÌÀ½ñȯ¹ÔÍ×µá¤òÀ¸À®¤·¤Æ¡¢¾ÚÌÀ½ñȯ¹Ô¤·¤Æ¤â¤é¤¨¤ëǧ¾Ú¶É¤ò»ÈÍѤ¹¤ë¾ì¹ç
    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¤â¤Î¤ò¡¢¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤È¸Æ¤Ö¤Î¤Ï¡¢¾å½Ò¤Î¤Û¤È¤ó¤É¤Î¥±¡¼¥¹¤ÇŬÀڤǤʤ¤¤Î¤Ç¡¢Ì¾¾Î¤Ë¤ÏÌäÂ꤬¤¢¤ë¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

    4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ

    ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¾ì¹ç¡¢ °ìÃפ·¤Ê¤¤¥Ô¥ó¤Ï¡¢¾­Íè¤Î¹¹¿·À褬¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï²¿¤Ç¤â¤è¤¯¡¢ ¤µ¤é¤Ë¤Ï¡¢ËÜʪ¤Î¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפ⤢¤ê¤Þ¤»¤ó¡£ SHA256¤Ê¤Î¤Ç¡¢Ã±¤Ë32¥Ð¥¤¥È¤ÎÃͤǤ¢¤ì¤Ð²¿¤Ç¤âÎɤ¤¤ï¤±¤Ç¤¹¡£

    ¤¿¤À¡¢HPKP¥Ø¥Ã¥À¤Ç°ì¸«¤·¤Æ°ìÃפ·¤Ê¤¤¥Ô¥ó¤À¤È¤ï¤«¤Ã¤¿¤Û¤¦¤¬¡¢ ¸í¤Ã¤Æºï½ü¤¹¤ë¤Ê¤É¤Î±¿Íѥߥ¹¤òËɤ°°ÕÌ£¤Ç¤âÎɤ¤¤È¹Í¤¨¤Æ¤ª¤ê¡¢ ¤½¤³¤Ç¡¢¥ª¥¹¥¹¥á¤·¤¿¤¤¤Î¤¬¡¢°Ê²¼¤ÎÃͤǤ¹¡£

    pin-sha256="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; ¤³¤ì¤Ï¡¢16¿Ê¿ô¤Ç 0000000000000000000000000000000000000000000000000000000000000000 (32¥Ð¥¤¥È)
    ¤È¤Ê¤ê¤Þ¤¹¡£Î®¹Ô¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤¤¤Þ¤¹w

    4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤

    ¤³¤ì¤Þ¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È°ìÃפ¹¤ë¥Ô¥ó¤Î¿ô¤Ï1¤Ä¤òÁ°Äó¤ËµÄÏÀ¤·¤Æ¤­¤Þ¤·¤¿¤¬¡¢ ¤³¤ì¤òÊ£¿ô¡¢Î㤨¤Ð¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤È¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤È¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò°ìÃפµ¤»¤¿¾ì¹ç¤Ë¤Ï¡¢ ¤É¤¦¤Ê¤ë¤Î¤«¤ò¹Í»¡¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    ¤Þ¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤäơ¢¼¡¤ËÃæ´ÖCA¾ÚÌÀ½ñ¡¢¼¡¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤òÄɲ䷤Ƥ¤¤¯ ¤³¤È¤ò¹Í¤¨¤Æ¤Þ¤·¤ç¤¦¡£ Ʊ¤¸¸°¥Ú¥¢¤òÊ£¿ô¤Îǧ¾Ú¶É¤«¤é¤Î¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤Ç»ÈÍѤ·¤Ê¤¤¤È¤¤¤¦¡¢Åö¤¿¤êÁ°¤Î»ö¤òÁ°Äó¤È¤·¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤĻö¤¬ºÇ¤â¡¢ÈϰϤ¬¸ÂÄêŪ¤Ç¥Ë¥»HTTPS¤ËÂФ¹¤ë ºÇ¤â¶¯¤¤Âкö¤Ç¤¢¤ë¤È¡¢4.2Àá­£­¤¤Ç½Ò¤Ù¤Þ¤·¤¿¡£

    ¤½¤³¤ËÃæ´ÖCA¾ÚÌÀ½ñ¤Î°ìÃפ¹¤ë¥Ô¥ó¤ò­¤·¤Æ¤ß¤¿¤é¤É¤¦¤Ç¤·¤ç¤¦¤«¡£¥Ô¥ó¤ÇÆÃÄꤹ¤ë¾ÚÌÀ½ñ¤ÎÈϰϤÏÁ´¤¯ÊѤï¤ê¤Þ¤»¤Î¤Ç¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò­¤¹¤³¤È¤Ç¡¢¥Ë¥»HTTPS¥µ¥¤¥Èºî¤ê¤¬Æñ¤·¤¯¤Ê¤Ã¤¿¤ê¤Ï¤»¤º¡¢¥»¥­¥å¥ê¥Æ¥£¤Î¶¯ÅÙ¤â¾å¤¬¤ê¤Þ¤»¤ó¡£¤Þ¤¿¡¢±¿ÍÑÌ̤Ǥϡ¢¥Ô¥ó¤Î°ìÃפÎÇÛ褬¥Ô¥ó°ì¤Ä¤ÈÈæ¤Ù¤ÆÆñ¤·¤¯¡¢¤Þ¤¿¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤À¤±¤Ç´ÉÍý¤Ç¤­¤Ê¤¤ÈϰϤȤʤë¤Î¤Ç¾ÚÌÀ½ñ¤ä¥Ô¥ó¥Ø¥Ã¥ÀÊѹ¹¤Î±¿ÍѤϳÊÃʤËÊ£»¨¤ÇÌÌÅݤˤʤê¤Þ¤¹¡£¤³¤ì¤ËÂФ·¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò²Ã¤¨¤¿¾ì¹ç¤Ç¤âÁ´¤¯Æ±¤¸¤³¤È¤Ç¤¹¡£¥»¥­¥å¥ê¥Æ¥£¶¯Å٤Ͼ夬¤é¤º¡¢°Ü¹Ô¤Î±¿ÍѤÏÊ£»¨¤Ë¤Ê¤ë¤Î¤Ç¤¹¡£
    hpkp-multipin

    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¤Î¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤¬¤Ê¤¯¡¢¤«¤¨¤Ã¤Æ±¿ÍѤ¬Ê£»¨¤Ë¤Ê¤ë¤À¤±¤Ê¤Î¤Ç¡¢»ß¤á¤¿¤Û¤¦¤¬¤è¤¤¤È¤¤¤¦¤³¤È¤¬¸À¤¨¤Þ¤¹¡£

    4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê

    º£¸åÅöÌ̤ϡ¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¡¢Ãæ´Öǧ¾Ú¶É¤«¤éȯ¹Ô¤·¤Æ¤â¤é¤¦¾ì¹ç¤Ë¡¢¤½¤Îǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ËPin¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤½¤Î¾ì¹ç¤Ë¤Ï¡¢¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤Ï¡¢Ç§¾Ú¶É¤«¤é°Ü¹ÔÀè¤ÎPin¤ò¶µ¤¨¤Æ¤â¤é¤¨¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¤Î¤Ç¡¢¤Ê¤ó¤Ç¤âŬÅö¤ÊÃͤÇÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפâ¤Ê¤¯¡¢32¥Ð¥¤¥È¤ÎÃͤÎBase64ɽ¸½¤Ç¤¢¤ì¤Ð(¾×Æͤ·¤Ê¤±¤ì¤Ð)²¿¤Ç¤âÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£

    ¤¿¤À¤·¡¢¡ÖÅöÌ̤ϡפȽñ¤­¤Þ¤·¤¿¤¬¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ÈÍѤ·¤Æ¤¤¤¿Ãæ´Öǧ¾Ú¶É¤¬¡¢¼¡¤Î¾ÚÌÀ½ñȯ¹Ô»þ¤Ë¤âƱ¤¸Ãæ´Öǧ¾Ú¶É¡¢Æ±¤¸¸ø³«¸°¤Ç¤¢¤ë¤È¤¤¤¦Êݾڤ¬¤¢¤ê¤Þ¤»¤ó¡£°Ê²¼¤ÎÍýͳ¤Ë¤è¤ê¡¢Æ±¤¸Ãæ´ÖCA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Ê¤¤²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£

    • Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤Ï¡¢5ǯ¤«¤é10ǯÄøÅ٤Ǥ¹¡£¤½¤ÎÍ­¸ú´ü¸Â¤ÎȾʬÄøÅÙ¤«¤é¡¢ºÇŤǤâ2¡¢3ǯ¤ò»Ä¤·¤Æ¡¢¤½¤ÎÃæ´Öǧ¾Ú¶É¤«¤é¤Ï¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤Ê¤¯¤Ê¤ê¡¢ÍøÍѼԤÏÊ̤ÎCA¤«¤é¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¦¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    • ¾ÚÌÀ½ñ¤Îȯ¹Ô¿ôËç¿ô¤¬Â¿¤¯¤Ê¤ë¤È¡¢¤½¤ì¤À¤±¡¢¾ÚÌÀ½ñ¼º¸ú¥ê¥¹¥È(CRL)¤Î¥µ¥¤¥º¤âÂ礭¤¯¤Ê¤ê¤Þ¤¹¤Î¤Ç¡¢°ì¤Ä¤ÎÃæ´ÖCA¤«¤éȯ¹ÔËç¿ô¤òÀ©¸Â¤·¤Æ¡¢°Ê¹ß¤Î¾ÚÌÀ½ñȯ¹Ô¤Ï¡¢¿·¤·¤¤Ãæ´ÖCA¤«¤éȯ¹Ô¤µ¤»¤ë¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£
    • ¶áǯ¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¡¢¥µ¥¤¥Ð¡¼¹¶·â¤Ê¤É¤«¤é¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹Á´ÂΤ䡢ÆÃÄê¤ÎÃæ´ÖCA¤¬±¿ÍÑÄä»ß¡¢¥µ¡¼¥Ó¥¹½ªÎ»¤Ë¤Ê¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    ¤³¤Î¤è¤¦¤Ê¾ì¹ç¤Ë¤Ï¡¢Æ±¤¸Ãæ´ÖCA¤ÎPin¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£

    Í­¸ú¤ÊPin¤òÀßÄꤷ¤¿Æ±¤¸¥ë¡¼¥ÈCA¤â¤·¤¯¤ÏÃæ´ÖCA¤«¤é¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤¬È¯¹Ô¤·¤Æ¤â¤é¤¨¤Ê¤¤¤È¤ï¤«¤Ã¤¿ºÝ¤Ë¡¢Ê̤ξÚÌÀ½ñ¤Î°Ü¹Ô¤Ï¡¢¤¹¤°¤Ë¤Ï¤Ç¤­¤º¡¢max-age¤Ç»ØÄꤷ¤¿´ü´Ö¡¢°ìÈ̤ˤÏ1¥ö·î¤«¤é1ǯÄøÅ٤ϡ¢¾ÚÌÀ½ñ¤ÎÆþ¤ìÂؤ¨¤¬¤Ç¤­¤Þ¤»¤ó¡£ºÇ°­¤Î¾ì¹ç¡¢¤½¤Î´ü´Ö¡¢Í­¸ú¤ÊHTTPSÄÌ¿®¤¬¤Ç¤­¤Ê¤¤¤È¤¤¤¦»ö¤â¤¢¤ê¤¨¤Þ¤¹¡£

    ¤³¤Î¤è¤¦¤Ê±Æ¶Á¤ò¡¢·Ú¸º¤¹¤ëÊýË¡¤¬Ìµ¤¤¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£¾ÚÌÀ½ñ¤ò¹¹¿·¤¹¤ë¤ÈȽÃǤ·¡¢Æ±¤¸Ãæ´ÖCA¤«¤é¾ÚÌÀ½ñ¤¬È¯¹Ô¤Ç¤­¤Ê¤¤¤È¤ï¤«¤Ã¤¿»þÅÀA¤Ç¡¢¤½¤³¤«¤émax-age·Ð²á¤·¤¿»þÅÀB¤òµ­Ï¿¤·¤Æ¤ª¤­¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò¼èÆÀ¤·¤Þ¤¹¡£(¤¬»È¤¤¤Þ¤»¤ó¡£)¡£¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤·¤Æ¡¢¤½¤Î¿·¤·¤¤¾ÚÌÀ½ñ¤ÎÊ̤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ÎPin¤ò¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£»þÅÀB¤Ë¤Ê¤Ã¤Æ¡¢½é¤á¤Æ¿·¤·¤¤¾ÚÌÀ½ñ¤Ø¤ÎÆþ¤ìÂؤ¨¤ò¼Â»Ü¤·¤Þ¤¹¡£¤³¤Î»ö¤«¤é¡¢max-age¤ò1ǯÅù¡¢Ä¹¤¯¤È¤ì¤Ðµ¶¥µ¥¤¥È¤ÎËɻߤˤÏÌòΩ¤Á¤Þ¤¹¤¬¡¢º£½Ò¤Ù¤¿¤è¤¦¤Ê¾ÚÌÀ½ñ¹¹¿·¤Î¥ê¥¹¥¯¤â¤¢¤ê¡¢È¾·î¤«¤é1¥ö·îÄøÅÙ¤ËÀßÄꤹ¤ë¤Î¤¬ÂÅÅö¤Ê¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎºÝ¤Ë¡¢2¤Ä¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¡¢Î㤨¤ÐSymantec¤ÈGlobalSign¤ò¸ò¸ß¤Ë¾è¤ê´¹¤¨¤ë¤È¤·¤Æ¡¢¤³¤ì¤é2¤Ä¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤ò¥Ø¥Ã¥À¤ËÀßÄꤷ¡¢»ÈÍѤ·¤Æ¤Ê¤¤¤Ê¤¤Êý¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤¹¤ë¤Î¤Ï¡¢¤Ê¤«¤Ê¤«¸­¤¤ÊýË¡¤À¤È»×¤¤¤Þ¤¹¡£
    hpkp-two

    ¤·¤«¤·¤Ê¤¬¤é¡¢Á°½Ò¤ÎÍýͳ¤Ë¤è¤ê¡¢Symantec¤Î¼¡¤Ëȯ¹Ô¤·¤Æ¤â¤é¤ª¤¦¤ÈͽÄꤷ¤Æ¤¤¤¿GlobalSign¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤¬»È¤¨¤Ê¤¤¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£

    °Ê¾å¤Î¤è¤¦¤Ë¡¢CA¾ÚÌÀ½ñ¤ËPin¤òÂǤĥ±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Îµ¤¤Þ¤°¤ì¤Ë¥Ó¥¯¥Ó¥¯¤·¤Ê¤¬¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¤ò±¿ÍѤ¹¤ë¤Î¤Ï¤È¤Æ¤âÌÌÅݤÀ¤È»×¤¤¤Þ¤»¤ó¤«? ¤½¤ì¤Ê¤é¡¢¤Þ¤À¡¢¼«Ê¬¤Ç¥³¥ó¥È¥í¡¼¥ë¤Ç¤­¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËPin¤òÂǤÄÊý¤¬¡¢ÌÌÅݤǤâÎɤ¤¤è¤¦¤Êµ¤¤â¤·¤Æ¤­¤Þ¤¹¡£

    4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë

    RFC 7469 4.1Àá¤Î ¥»¥­¥å¥ê¥Æ¥£¹Í»¡¤Ë¤ª¤¤¤Æ¡¢max-age¤ÎºÇÂçÃͤˤĤ¤¤Æ°Ê²¼¤Î¤è¤¦¤Ëµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢ ¡Ö60Æü¤¬¥Ð¥é¥ó¥¹¤Î¼è¤ì¤¿Ãͤ«¤â¤Í¡×¤È¸À¤Ã¤Æ¤¤¤Þ¤¹¡£

    RFC 7469 4.1. Maximum max-age ¤è¤ê
    However, a value on the order of 60 days (5,184,000 seconds) may be considered a balance between the two competing security concerns.
    ¤¿¤À¡¢5¾Ï¤ÎScott Helme»á¤ÎHPKPÂбþ¥É¥á¥¤¥ó¥ê¥¹¥È¤Ë´ð¤Å¤¤¤¿»ä¤ÎÄ´ºº¤Ç¤Ï¡¢ ¤Þ¤È¤â¤Ê±¿ÍѤò¤·¤Æ¤¤¤ëÀßÄê¤ÎÃæ¤Ç¤Ï¡¢ 30Æü¤¬26%¡¢¼¡¤¤¤Ç60Æü¤¬19%¤È¿¤¤¤Ç¤¹¡£

    max-age¤ÎÃͤ¬Ä¹¤¹¤®¤ë¤È¡¢

    • ÀßÄê¥ß¥¹¤Ë¤è¤ë¾ã³²È¯À¸»þ¤ËĹ´ü´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¤¬½Ð¤Æ¤·¤Þ¤¦
    • Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Íפʾì¹ç¡¢¼Â¼ÁŪ¤Ê¾ÚÌÀ½ñÍ­¸ú´ü´Ö¤¬Ìܸº¤ê¤·¤Æ±¿ÍÑ¥³¥¹¥È¤Ë±Æ¶Á¤¹¤ë
    ¤È¤¤¤¦¥ê¥¹¥¯¤Ë¤Ä¤¤¤Æ¡¢4.2Àá¤ÇÀâÌÀ¤µ¤»¤Æ夭¤Þ¤·¤¿¤¬¡¢ µÕ¤Ë¡¢max-age¤¬Ã»¤¹¤®¤ë¤È¤É¤¦¤Ê¤ë¤Î¤Ç¤·¤ç¤¦¤«¡©

    ´Êñ¤Ë¤Ï¡¢¥Ë¥»¤ÎHTTPS¥µ¥¤¥È¤Ë¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤¯¤Ê¤ë¤È¤¤¤¦»ö¤«¤È»×¤¤¤Þ¤¹¡£ ËÜʪ¥µ¥¤¥È¤Îmax-age¤¬Ã»¤¯¤Æ¡¢Í­¸ú´ü¸Â¤¬Àڤ줿¥¿¥¤¥ß¥ó¥°¤Ç¡¢¥É¥á¥¤¥ó¾è¼è¤êÅù¤ÎÈï³²¤Ë¤¢¤Ã¤Æ µ¶¥µ¥¤¥È¤¬ºî¤é¤ì¡¢¤½¤³¤Ç1ǯÅùŤ¤max-age¤ÎHPKP¥Ø¥Ã¥ÀÂбþ¤Î¥Ë¥»¥µ¥¤¥È¤¬ºî¤é¤ì¤¿¤È¤¹¤ë¤È¡¢ °ìÅÙ¤½¤Î¤è¤¦¤Ë¤Ê¤ì¤Ð¡¢ÅöÌÌ1ǯ´Ö¤Ï¡¢¥Ë¥»¥µ¥¤¥È¤Ë¤·¤«·Ò¤²¤Ê¤¤¤è¤¦¤Ê¥æ¡¼¥¶¤¬È¯À¸¤¹¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    hpkp-maxage
    max-age¤¬Ã»¤¤¤È¡¢¤½¤ì¤À¤±¹¶·â¤Î¥Á¥ã¥ó¥¹¤ÏÁý¤¨¤ë¤¿¤á¡¢max-age¤Ï¤¢¤ëÄøÅÙŤ¯¤·¤Æ¤ª¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

    ÍÍ¡¹¤Ê¾ðÊ󥽡¼¥¹¤«¤é¡¢ ¥Ë¥»¥µ¥¤¥È¤òºî¤é¤ì¤Æ¤¤¤¿¤Èµ¤¤Å¤¯¤Þ¤Ç¤Ë¡¢¤½¤ì¤Û¤É»þ´Ö¤Ï¤«¤«¤é¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£ ¿ôÆü¤«¤é1½µ´Ö¤â¤¢¤ì¤ÐÌäÂê¤Ëµ¤¤Å¤¯¤È»×¤¤¤Þ¤¹¡£ Ⱦ·î¤ä1¥ö·î¤âµ¤¤Å¤«¤Ê¤¤¤Þ¤Þ¤¤¤ë»ö¤Ï¤Ê¤¤¤Ç¤·¤ç¤¦¡£ ¡Ö¥Ë¥»HTTPS¥µ¥¤¥ÈÌäÂê¤Ëµ¤¤Å¤¯¤Þ¤Ç¤ËÃÙ¤¯¤È¤â¤É¤ì¤¯¤é¤¤¤«¤«¤ë¤«¡×¤Ë¤è¤Ã¤Æ max-age¤ÎºÇ¾®Ãͤò·è¤á¤ë¤Î¤¬¤è¤¤¤È»×¤¤¤Þ¤¹¡£

    ½¾¤Ã¤Æ¡¢¹¶·â¤È²ÄÍÑÀ­¤Î¥ê¥¹¥¯¤Î¥È¥ì¡¼¥É¥ª¥Õ¤Ç¡¢»ä¤Ïmax-age¤ò15Æü¤«30ÆüÄøÅÙ¤Ë ÀßÄꤹ¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«

    2016ǯ3·î¤ÎNetcraft¼Ò¤ÎSSLÍøÍÑÄ´ºº¤Ë¤è¤ì¤Ð¡¢À¤³¦¤Ç¤ï¤º¤«0.09%¤Î4100¥µ¥¤¥È°Ê²¼¤°¤é¤¤¤·¤«¡¢HPKP¤òÀßÄꤷ¤Æ¤ª¤é¤º¡¢ÀßÄê¤Î¸í¤ê¤â¿¤¤¤½¤¦¤Ç¡¢Àµ¤·¤¯ÀßÄê¤Ç¤­¤Æ¤¤¤ë¤Î¤Ï¡¢¤½¤Î¤¦¤Á3000¥µ¥¤¥ÈÄøÅ٤ʤΤÀ¤½¤¦¤Ç¤¹¡£

    ¤Þ¤¿¡¢CSP(Content Security Policy)¤äHPKP¤Ë¾Ü¤·¤¯¡¢HPKP¤Î¸¡¾Ú¤ä¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È¤ò±¿±Ä¤·¤Æ¤¤¤ëScott Helme»á¤Î¥Ö¥í¥°¤Ë¤è¤ì¤Ð¡¢Alexa¾å°Ì100Ëü¤Î¥µ¥¤¥È¤Î¤¦¤ÁHPKP¤òÀßÄꤷ¤Æ¤¤¤ë¤Î¤Ï¡¢¤ï¤º¤«375¥µ¥¤¥È¤Ç¤¢¤Ã¤¿¤È¤¤¤¦Êó¹ð¤â¤¢¤ê¤Þ¤¹¡£

    Scott Helme»á¤Ï¡¢Ä´ºº¤ÎºÝ¤Î¥Ç¡¼¥¿¤â¸ø³«¤·¤Æ¤ª¤ê¡¢2016ǯ8·î»þÅÀ¤Ç¤ÎHPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó̾¥ê¥¹¥È448·ï¤¬¤¢¤Ã¤¿¤Î¤Ç¡¢¤½¤ì¤ò¥Ù¡¼¥¹¤Ë2017ǯ2·î¸½ºß¤Ç¤âHPKP¥Ø¥Ã¥À¤òÊÖ¤¹¥µ¥¤¥È283·ï¤ËÂФ·¤Æ¾¯¤·Ä´ºº¤·¤Æ¤ß¤Þ¤·¤¿¡£

    hpkp-graph1
    ¤Þ¤º¡¢HPKP¥Ø¥Ã¥À¤È¤·¤ÆÀµ¤·¤¤¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¡¢¤Þ¤¿¡¢»ÅÍ;åPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä°Ê¾åɬÍפǤ¹¤¬¡¢2¤Ä°Ê¾å¤¢¤ë¤«¤È¤¤¤¦´ÑÅÀ¤Ç¡¢¥Ø¥Ã¥À¤¬¤É¤ÎÄøÅÙÀµ¤·¤¤¤«¤òÄ´¤Ù¤Þ¤·¤¿¡£16%¤ÏÀßÄ꤬Àµ¤·¤¯¤Ê¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£´Ö°ã¤Ã¤Æ¤¤¤ë¤â¤Î¤ÎÃæ¤Ë¤Ï¡¢pin-sha256°À­¤¬Ìµ¤¤¡¢pin-sha256¤ÎÃͤ¬ÉÔŬÀÚ¡¢pin-sha256°À­¤¬°ì¤Ä¤·¤«¤Ê¤¤¡¢¤Ê¤ÉÍÍ¡¹¤Ç¤¹¡£Î㤨¤Ð¤³¤ó¤Ê¤â¤Î¤¬¤¢¤ê¤Þ¤·¤¿¡£
    • ...
    • pin-sha256="base64+info1="; max-age=3
    hpkp-graph2
    ¼¡¤Ë¡¢HPKP¥Ø¥Ã¥À¤ÎPIN¤Î¥Ï¥Ã¥·¥åÃͤθĿô¤Ç¤¹¡£°ìÈ̤ˤÏPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä¤Ç½½Ê¬¤Ç¡¢2¤Ä¤È¤Ê¤Ã¤Æ¤¤¤ë¥µ¥¤¥È¤¬Â¿¤¯Àê¤á¤Þ¤¹¤¬¡¢1¸Ä¤·¤«¤Ê¤¤¸í¤Ã¤¿¥µ¥¤¥È¤ä¡¢3¤Ä°Ê¾å¤òÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£15¸ÄÀßÄꤷ¤Æ¤¤¤ë¤È¤¤¤¦ÌԼԤ⤢¤ê¤Þ¤·¤¿¡£
    hpkp-graph3
    HPKP¤ÇÍ­¸ú¤Ê¸ø³«¸°¥Ï¥Ã¥·¥å¤ÎÊݸ´ü´Ö¤òÄê¤á¤Æ¤¤¤ë¤Î¤¬¡¢max-age¤ÎÃͤǤ¹¡£RFC¤Ç¤Ï¡¢60Æü¤ò¿ä¾©¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¼ÂºÝ¤Ë¤Ï30Æü¤òÀßÄꤹ¤ë¥µ¥¤¥È¤¬Â¿¤¤¤È¤ï¤«¤ê¤Þ¤¹¡£¤Þ¤¿¡¢¥Æ¥¹¥ÈÃæ¤Ê¤Î¤«1Æü°Ê²¼¤Ë¤·¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£Ã»¤¤¤È¥µ¥¤¥È¤ò¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤Þ¤ê¤Þ¤¹¤·¡¢Ä¹¤¹¤®¤ë¤ÈÀßÄê¤Ë¼ºÇÔ¤·¤¿¾ì¹ç¤½¤Î´ü´ÖÀܳÉÔǽ¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£1ǯ¤Ê¤É¤ÈÀßÄꤹ¤ë¤È¡¢ÀßÄ꼺ÇÔ¤·¤Æ¤¤¤¿¤é1ǯ´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¡¼¤¬½Ð¤Æ¥¯¥ì¡¼¥à³Î¼Â¤Ê¤Î¤Ë¶²¤í¤·¤¤¤Ç¤¹¤Í¡£
    hpkp-graph4
    report-uri¤òÀßÄꤹ¤ë¤È¡¢Âбþ¥Ö¥é¥¦¥¶¤Ê¤é¤Ð¡¢HPKP¤Î¥¨¥é¡¼¤ÎºÝ¤Ë»ØÄꤷ¤¿URL¤Ë¥ì¥Ý¡¼¥È¤òÁ÷¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£Jxck¤µ¤ó¤Î¥µ¥¤¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¤¬¡¢¤Þ¤À¤Þ¤ÀÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤Ï¾¯¤Ê¤½¤¦¤Ç¤¹¡£
    hpkp-graph5
    HPKP¥Ø¥Ã¥À¤ÎÃͤˤϡ¢includeSubDomain¤È¤¤¤¦¥×¥í¥Ñ¥Æ¥£¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤³¤ì¤ò¤Ä¤±¤ë¤Èexample.com¤ËHPKP¤òÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢sub1.example.com¥É¥á¥¤¥ó¤ËÂФ·¤Æ¤âŬÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    hpkp-graph6
    HPKP¥Ø¥Ã¥À¤È¤·¤Æ¡¢Ä̾ï¤Ï"Public-Key-Pins"¤ò»È¤¤¤Þ¤¹¤¬¡¢"Public-Key-Pins-Report-Only"¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÏHPKP¤ò¸¡¾Ú¤»¤º¤Ë¡¢¥¨¥é¡¼¤È¤Ê¤Ã¤Æ¤âHTTPSÀܳ¤Ï³¤±¤é¤ì¤ë¥Æ¥¹¥ÈÍѤε¡Ç½¤¬¤¢¤ê¤Þ¤¹¡£Ìó10%¤Î¥µ¥¤¥È¤¬¤³¤Î¥Æ¥¹¥ÈÍѤÎÀßÄê¤ò»È¤Ã¤Æ¤¤¤ë¤È¤ï¤«¤ê¤Þ¤¹¡£
    hpkp-graph7
    Scott Helme»á¤Î2017ǯ»þÅÀ¤ÇÀܳ²Äǽ¤ÊHPKPÂбþ¥µ¥¤¥È283·ï¤Î¤¦¤ÁgTLD(com¡¢orgÅù)¡¢ccTLD(de¡¢ru¡¢jpÅù)Ê̤˷ï¿ô¤òÄ´¤Ù¤Æ¤ß¤ë¤È¡¢com¤¬Â¿¤¤¤Î¤ÏÅöÁ³¤Ç¤È¤·¤Æ¡¢¼ÂºÝ¤Î³ÆTLD¤ÎÅÐÏ¿·ï¿ô¤ËÈæ³Ó¤·¤Æ¸²Ãø¤Ë¿¤¤TLD¤¬¸«¤é¤ì¤Þ¤·¤¿¡£com¤Ï1.3²¯¡¢net¤Ède¤Ï1600Ëü¡¢ru¤Ï540Ëü¥É¥á¥¤¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥É¥á¥¤¥óÅÐÏ¿¿ô¤ËÈæ¤Ù¤Æ¡¢ÈæΨŪ¤Ëru¡¢org¡¢de¤ÏÆͽФ·¤Æ¿¤¯¤Þ¤¿¡¢¥°¥é¥Õ¾å¤Ï¤½¤Î¾¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¥Þ¥¤¥Ê¡¼¤ÊccTLD¤Î¹ñ¤Ë¤Ä¤¤¤Æ¤â¡¢Èæ³ÓŪHPKPÀßÄ꤬¿¤¤¹ñ¤¬¤¢¤ê¤Þ¤¹¡£¤Þ¤¿¡¢edu¤¬°Û¾ï¤Ë¾¯¤Ê¤¤¤Î¤âµ¤¤Ë¤Ê¤ê¤Þ¤·¤¿¡£¤½¤Î¾¤Ë¤Ï¡¢ar/br/cl/il/pt/nl/tn/sk¤Ê¤É¡¢¥Þ¥¤¥Ê¡¼¤Ê¤â¤Î¤¬ 50¶á¤¯¤¢¤ê¤Þ¤·¤¿¡£

    6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«

    hpkp¤ÎȯÁÛ¼«ÂΤϡ¢ÉÔÀµÈ¯¹Ô¤µ¤ì¤¿¾ÚÌÀ½ñ¤ò»È¤Ã¤¿µ¶¥µ¥¤¥È¤òËɤ°¤¿¤á¤Î»ÅÁȤߤȤ·¤ÆÍ­ÍѤǤ¢¤ê¡¢Chrome¤äFirefox¤Î¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥È¥Ô¥ó¤Ï ¤¦¤Þ¤¯µ¡Ç½¤·¤Æ¤¤¤ë¤è¤¦¤Ë»×¤¨¤Þ¤¹¡£ ¤½¤Î°ìÊý¤ÇHPKP¥Ø¥Ã¥À¤ò»È¤Ã¤¿Êý¼°¤Ï¡¢ ¤«¤Ê¤ê±¿ÍѤ¬Ê£»¨¤ÇÆñ¤·¤¯¡¢¼ºÇÔ¤¹¤ë¤È 2¥ö·î¤È¤¤¤Ã¤¿¡¢Ä¹´ü´Ö¡¢°ìÉô¤Î¥æ¡¼¥¶¤ÏÀܳ¤Ç¤­¤Ê¤¤¤È¤¤¤¦¡¢¾ã³²¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤â¹â¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£

    ¸Ä¿Í¤äÃæ¾®¤Î¥µ¥¤¥È¤ÇÉÔÀµ¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤Þ¤Çµ¶¥µ¥¤¥È¤òºî¤ë¥á¥ê¥Ã¥È¤Ï¸«Åö¤¿¤é¤º¡¢¹¶·â¤ò¼õ¤±¤ë²ÄǽÀ­¤â¶Ë¤á¤ÆÄ㤤¤¿¤á¡¢HPKP¤ò»È¤Ã¤Æ¥µ¡¼¥Ó¥¹¾ã³²¤Î¥ê¥¹¥¯¤ò¼è¤Ã¤Æ¤Þ¤ÇHPKP¤òƳÆþ¤¹¤ëɬÍפϤʤ¤¤È»×¤¤¤Þ¤¹¡£

    ¤Ç¤Ï¡¢°ìÈÌ¥µ¥¤¥È¸þ¤±¤ËHPKP¤ÎÉáµÚ¤¬¿Ê¤à¤¿¤á¤Ë¤Ï¡¢±¿ÍѤΤ·¤ä¤¹¤¤¥µ¡¼¥Ó¥¹¾ã³²¤¬µ¯¤­¤Ë¤¯¤¤»ÅÍͤÎÊѹ¹¤¬É¬ÍפÀ¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤¦¤¹¤ì¤Ð¤³¤ì¤¬²Äǽ¤Ë¤Ê¤ë¤Ç¤·¤ç¤¦¤«¡©

    max-age¤ò2¥ö·î¤È²¾Äꤷ¤Æ¡¢ HPKP¥Ø¥Ã¥À¤Ç±¿ÍѾå¤Î²ÝÂê¤Ê¤Î¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤Î2¥ö·îÁ°¤Ë¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤Ê¤éÀßÄê¤ò»öÁ°ÀßÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤Æ¥Ø¥Ã¥ÀÀßÄê¤òľ¤·¤Æ¤â¡¢2¥ö·î¤ÏÄÌ¿®¾ã³²¤¬È¯À¸¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£

    ¤½¤³¤Ç¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤¿»þ¤Ë¤Ï¡¢¤¹¤°¤ËÀßÄêÊѹ¹¤¬È¿±Ç¤Ç¤­¤¿¤ê¡¢¥µ¡¼¥Ð¡¼Â¦¤Ç»ÃÄêŪ¤Ë¥Ö¥é¥¦¥¶¤ÎHPKP¸¡¾Ú¤ò̵¸ú²½¤Ç¤­¤ë¥­¥ë¥¹¥¤¥Ã¥Á¤¬¤¢¤ë¤È¤è¤¤¤È»×¤¦¤Î¤Ç¤¹¡£¿¼¤¯¹Í»¡¤·¤¿Ìõ¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¤¬¡¢Î㤨¤Ð¡¢HPKP¹¹¿·Æü¤ò¥Ø¥Ã¥À¤Ëµ­ºÜ¤¹¤ë¤Ê¤É¤·¤Æ¡¢ÀßÄê¤Ë¹¹¿·¤¬¤¢¤ì¤Ðmax-age¤Ë´Ø¤ï¤é¤º¹¹¿·¤·¡¢Ìµ¸ú²½¤¹¤ë¤Ê¤é¡¢Ìµ¸ú²½¤¹¤ë¤È¤¤¤Ã¤¿µ¡Ç½¤òÄ󶡤¹¤ì¤Ð¡¢±¿ÍѤÏmax-age¤äÀßÄê¥ß¥¹¤Î¼öÇû¤«¤é²òÊü¤µ¤ì¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ¾¤Ë¤â¤³¤ÎÌäÂê¤Î²ò·èÊýË¡¤Ï¤¢¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢²¿¤é¤«¤Î¼êÅö¤Æ¤ò¤·¤Ê¤¤¸Â¤ê¡¢HPKP¤ÏÉáµÚ¤·¤½¤¦¤Ë¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    7. ¤ª¤ï¤ê¤Ë

    °Ê¾å¡¢HPKP¤Ë¤Ä¤¤¤Æ¡¢¤É¤³¤Ë¥Ô¥ó¤òÂǤĤ«¡¢max-age¤Ï¤É¤¦¤¹¤ë¤«¤Ê¤É±¿ÍÑÌ̤«¤é¡¢ ¤¤¤í¤¤¤í¹Í»¡¤äÀ°Íý¤ò¤·¤Æ¤ß¤Þ¤·¤¿¡£ ¸½»þÅÀ¤Ç¤Ï¡¢HPKP¤òƳÆþ¤¹¤ë¤Î¤Ï»þ´ü¾°Áá¤Ç¡¢ ±¿ÍѤËÉéô¤ò¤«¤±¡¢¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤â¹â¤¤¤È¤¤¤¦¤³¤È¤â ¤´Íý²ò¤¤¤¿¤À¤±¤¿¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ¤³¤ì¤Ç¡¢¼«Ê¬¤¬HPKP¤Ë¤Ä¤¤¤ÆÁ°¤«¤é½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤³¤È¤ò¡¢ Íî¤ÁÃ夤¤ÆÀ°Íý¤Ç¤­¡¢3ǯ±Û¤·¤°¤é¤¤¤ËÅǤ­½Ð¤»¤Þ¤·¤¿¡£ ¤ï¤«¤ê¤Ë¤¯¤«¤Ã¤¿¤ê¡¢Íý²ò¤¬´Ö°ã¤Ã¤Æ¤¤¤¿¤é¤¹¤ß¤Þ¤»¤ó¡£ ¸Ä¿ÍŪ¤Ë¤Ï¡¢HPKP¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤³¤ì¤Ç¤ï¤À¤«¤Þ¤ê¤È¤«¥â¥ä¥â¥ä´¶¤È¤¤¤¦¤Ï³µ¤Í ʧ¿¡¤µ¤ì¤¿¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ ¤Þ¤¡¡¢¡Ö¥Ö¥í¥°¤Ê¤ó¤Æ¤½¤ó¤Ê¥â¥Î¤è¤Í¡×¤Ã¤Æ¤³¤È¤Ç¡¢¡¢¡¢£÷

    8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯

    Netcraft: Secure websites shun HTTP Public Key Pinning
    HPKP¤¬Î®¹Ô¤Ã¤Æ¤¤¤Ê¤¤¤³¤È¤ÎÅý·×¡£¤Ê¤¼Î®¹Ô¤é¤Ê¤¤¤«¤Î²òÀâ¡£Îɵ­»ö¡£
    Netcraft: HTTP Public Key Pinning: You're doing it wrong!
    Netcraft¼Ò¤Î¡¢À¤¤ÎÃæ¤ÎHPKPÂбþ¥µ¥¤¥È¤ÎÀßÄê¸í¤ê¤Ë´Ø¤¹¤ë²òÀâ¡£Îɵ­»ö¡£
    Scott Helme¤µ¤ó¤ÎHPKP¥Ö¥í¥°µ­»ö
    CSP¤äHSTS¤äHPKP¤Ê¤ÉSSL´ØÏ¢µ»½Ñ¤ÎÀìÌç²È¤Ç¡¢HPKP¤Ê¤É¤Î¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È report-uri.io ¤ò ±¿±Ä¤·¤Æ¤¤¤ëScott Helme¤µ¤ó¤Î¥Ö¥í¥°¡£HPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó¥ê¥¹¥È¤Ê¤É¤Î¥Ç¡¼¥¿¤â¤¢¤ê¤Þ¤¹¡£
    Qualys Blog: Is HTTP Public Key Pinning Dead?
    Ivan Ristic»á¤Î¡¢¡ÖHPKP¤¬½ª¤ï¤Ã¤Æ¤¤¤ë¤«¡©¡×¤Ë´Ø¤¹¤ëµÄÏÀ¡£
    Raymii.org: HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd
    ²òÀâ¤Ï½¼¼Â¡£³Æ¥µ¡¼¥Ð¡¼Ëè¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄêÎã¡£
    MDN: Public Key Pinning
    Mozilla¤Ë¤è¤ëHPKP²òÀâ¡£Chrome¤äFirefox¤Ç¤ÎHPKPÂбþ¥Ð¡¼¥¸¥ç¥ó¤Îµ­½Ò¡£¥µ¡¼¥Ð¡¼ÀßÄêÎã ¥ì¥Ý¡¼¥Èµ¡Ç½¤Ï¿·¤·¤¤Chrome¤·¤«»È¤¨¤Ê¤¤»ö¤Î¸ÀµÚ¤Ê¤É¡¢»²¹Í¤Ë¤Ê¤ë¡£
    Public Key Pinning¤Ë¤Ä¤¤¤Æ - Chris Palmer (¸¶Ê¸)
    Chris Palmer¤Ë¤è¤ëHPKP²òÀâ¡£¸í²ò¤â¤¢¤ë¤¬¡¢½é¤á¤Æ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¡¢¤½¤Î¥±¡¼¥¹Ê¬¤±¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤¿µ­»ö¡£
    ¤Ü¤Á¤Ü¤ÁÆüµ­¡§ÉÔÀµ¤ÊSSL¾ÚÌÀ½ñ¤ò¸«ÇˤëPublic Key Pinning¤ò»î¤¹
    jovi¤µ¤ó¤Ë¤è¤ëHPKP(¥É¥é¥Õ¥È)¤Ë´Ø¤¹¤ë¾ÜºÙ¤«¤Ä¹­ÈϤʲòÀâ¤Ç¤¹¡£
    Jxck¤µ¤ó¤Î¥Ö¥í¥°¡§Public Key Pinning for HTTP(HPKP) Âбþ¤È report-uri.io ¤Ç¤Î¥ì¥Ý¡¼¥È¼ý½¸
    Jxck¤µ¤ó¤Î²òÀâ¡£ÆäËreport-uri¤Îµ¡Ç½¤ò»î¤·¤Æ¤ß¤¿Êó¹ð¤¬µ®½Å¡£
    ¸ø³«¸°¥Ô¥ó¥Ë¥ó¥°¤Ë¤è¤ë¥æ¡¼¥¶ÄÉÀ× HPKP Supercookies
    º£²ó¤Îµ­»ö¤È¤Ï¤¢¤Þ¤ê´Ø·¸¤Ê¤¤¤Ç¤¹¤¬¡¢ ¤Ë¤·¤à¤Í¤¢¤µ¤ó¤ÎHPKP¤ò»È¤Ã¤¿¥¯¥Ã¥­¡¼¤ò»È¤ï¤Ê¤¤¥æ¡¼¥¶¡¼ÆÃÄê¤ÎÌÌÇò¤¤»î¤ß¤Ë´Ø¤¹¤ë¥¹¥é¥¤¥É»ñÎÁ¡£
    OWASP: Certificate and Public Key Pinning
    OWASP¤Î²òÀâµ­»ö¡£ÌµÂ̤ʾðÊó¤â¿¤¤¡£

    9. Äɵ­

    9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·

    caniuse.com¥µ¥¤¥È¤Ç¤ÏÍÍ¡¹¤Ê¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Î¥µ¥Ý¡¼¥È¾õ¶·¤ò¾ðÊóÄ󶡤·¤Æ¤¤¤Þ¤¹¤¬¡¢ 2017ǯ2·î»þÅÀ¤Ç¤Î HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·¤Ë¤Ä¤¤¤Æ¤â µ­ºÜ¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¼¨¤·¤Æ¤ª¤­¤Þ¤¹¡£Firefox¡¢Chrome¡¢Opera¡¢AndroidÈÇChrome¤Ç¤Ï ¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ì°Ê³°¤Ç¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
    hpkp-caniuse

    9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

    ¤½¤Î¸å¡¢HPKP¤Ë¤Ä¤¤¤Æ·Ñ³¤·¤ÆÄ´¤Ùʪ¤ò¤·¤Æ¤¤¤¿¤é¡¢ smashingmagazine.com¤Î¥Ö¥í¥°¤Ç¡¢ HPKP¤Ë¤è¤êȯÀ¸¤·¤¿Àܳ¾ã³²¤Ë¤Ä¤¤¤Æ¤Î¹Í»¡¤¬½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£ ¤³¤³¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£

    • HPKP¤ÏÃæ´Ö¼Ô¹¶·â¤ËÂФ·¤ÆÍ­¸ú¤Êµ¡Ç½¤À¤¬
    • HPKP¤ÎÀßÄê¥ß¥¹¤Ç2016ǯ10·î21Æü¤«¤é25Æü¤Ë¤«¤±HTTPSÀܳ¾ã³²¤¬È¯À¸
    • ¾ÚÌÀ½ñ´ü¸ÂÀÚ¤ì¤ÇHPKP¥Ø¥Ã¥À¤ò¹¹¿·¤·¤¿¤é¥¨¥é¡¼¤Ë¤Ê¤Ã¤¿
    • ¤¹¤Ç¤Ë¾ÚÌÀ½ñ¤Ï´ü¸ÂÀÚ¤ì¤Ç¥í¡¼¥ë¥Ð¥Ã¥¯¤Ï¤Ç¤­¤Ê¤¤
    ¶µ·±¤È¤·¤Æ¡¢¥Ö¥í¥°¤Ç¤Ï¡¢
    • ¶âÍ»¥µ¥¤¥È¤Ê¤É¤Ê¤é¤Ð¡¢HPKP¤ò»È¤¦²ÁÃͤϤ¢¤ë¤¬¡¢Ã±¤Ê¤ë¾ðÊóÄ󶡥µ¥¤¥È ¤Ê¤é¡¢¤½¤ÎɬÍפâ¤Ê¤¤¡£HPKPÀßÄê¥ß¥¹¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Ï¡¢Ãæ´Ö¼Ô¹¶·â¤è¤ê¤âÂ礭¤Ê¶¼°Ò¤À
    • max-age¤òû¤¯¤¹¤ë¤³¤È¤Ë¤è¤êÌäÂê¤ò´ËϤǤ­¤ë
    »ä¤â¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤ÎÊý¤¬¡¢Â礭¤ÊÌäÂê¤À¤È¤¤¤¦¤Î¤ÏƱ°Õ¤Ç¤¹¤¬¡¢ Á°¤Ë¤â½Ò¤Ù¤¿Ä̤ꡢmax-age¤òû¤¹¤®¤ëÃͤËÀßÄꤹ¤ë¤Î¤Ï·üÌ¿¤Ç¤Ï¤Ê¤¯¡¢Ãí°Õ¤¬É¬ÍפǤ¹¡£ ¤³¤Î¥µ¥¤¥È¤Ç¤Ï¡¢max-age¤ò1ǯ¤È¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢³Î¤«¤Ë¤³¤ì¤ÏŤ¹¤®¤Þ¤¹¡£ ¿·¤·¤¯ÀßÄꤵ¤ì¤¿HPKP¥Ø¥Ã¥À¤ò¸«¤Æ¤ß¤Þ¤·¤¿¤¬¡¢¸½¹Ô¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¾¤Ë 3¤Ä¥Ô¥ó¤¬ÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢max-age¤Ï1Æü¤ËÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢¤¤¤í¤¤¤í¤ÈÀßÄê¤Ë¤ÏÌäÂ꤬¤¢¤ê¤½¤¦¤Ç¤¹¡£

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ12·îÈÇ)

    ¤¤¤ä¤¡¡¢Ç¯¤ÎÀ¥¤Ç¤¹¤Í¤§¡£ºÇ¶á¡¢SSL/TLS´ØÏ¢¤ÎÄ´ºº¤ËÁ´¤¯»þ´Ö¤¬¼è¤ì¤Æ¤Ê¤¤¤Ã¤¹¡£ SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 10·î¤Ë°ú¤­Â³¤­2015ǯ12·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤¬Áᤫ¤Ã¤¿¤Ã¤Ý¤¤¤Ç¤¹¤¬¡¢µ¤¤Å¤¯¤Î¤ËÃÙ¤ì¤Þ¤·¤¿¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201512-a1vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201512-a2proto

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201512-a3crt

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201512-a4adv
    SPDY¤¬²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£HTTP/2¤Ø¤Î°Ü¹Ô¤¬»Ï¤Þ¤Ã¤Æ¤¤¤Þ¤¹¡£¼Â¤ÏSSL Pulse¤ÇHTTP/2¤ÎÂбþ¾õ¶·¤â4¥ö·îÁ°¤¢¤¿¤ê¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤í¤½¤í²Ä»ë²½¤·¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a5kx

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a6dh
    DH¸°¸ò´¹¤Î¥µ¥Ý¡¼¥ÈΨ¤Ï¡¢¤Û¤Ü²£¤Ð¤¤¤Ç¤¢¤ë¤Î¤ËÂФ·¤Æ¡¢

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a7ecdh
    ECDH(E)¤Ø¤ÎÂбþ¤Ï¿Ê¤ó¤Ç¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ǯËö¿Ê¹Ô¤Ç¡¢¤½¤ó¤Ê¤ËÆݤߤ˹ԤäƤ¤¤ëµ¤¤â¤·¤Þ¤»¤ó¤¬¡¢¤Ê¤ó¤«»Å»ö¤¬»³ÀѤߤǤ¹orz ¥³¥á¥ó¥È¾¯¤Ê¤á¤Ç¤¹¤ß¤Þ¤»¤ó¡£º£·î¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ10·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 8·î¤Ë°ú¤­Â³¤­2015ǯ10·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤·¤Æ¤¯¤ì¤Ê¤¯¤Æ¡¢³Î¤«10·î19Æüº¢¤è¤¦¤ä¤¯¥¢¥Ã¥×¥Ç¡¼¥È¤µ¤ì¤¿¤è¤¦¤Ç¤¹¡£¿·¤·¤¤¹àÌÜÁý¤¨¤Æ¤¤¤ë¤ï¤±¤Ç¤â¤Ê¤¤¤Î¤Ë¡¢¤Ê¤ó¤Ç¤Ç¤·¤ç¤¦¤Í¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201510vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë·Ñ³¤·¤Æ²¼¤¬¤Ã¤Æ¤ª¤ê¡¢º£·î¤Ç¤Ï53%¤Î¥µ¥¤¥È¤·¤«»È¤¨¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£ ¤Þ¤¿¡¢ECDHE¤äDHE¤Î¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤¹¤ëPFS¤ËÂбþ¤·¤¿¥µ¥¤¥È¤Ï71.5%¤Ë¤Þ¤Ç¾å¤¬¤Ã¤Æ¤ª¤ê¡¢¤«¤Ê¤ê¤Î¥µ¡¼¥Ð¡¼¤Ç»È¤¨¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Þ¤·¤¿¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201510proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤¬»È¤¨¤ë¥µ¥¤¥È¤¬32.5%¤Ë¤Þ¤Ç²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201510crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬24.1%¡¢SHA256withRSA¤¬74.9%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£¤¢¤È»Ä¤ê1/4¤Ë¤Ê¤ê¤Þ¤·¤¿¤Í¡Á¡Á¡Á¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201510adv
    HSTS¤â¡¢OCSP Stapling¤â¡¢EV¤â½ù¡¹¤Ë¾å¤¬¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢Á´¤¯Â礷¤¿¤³¤È¤Ê¤¤¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¡¢¡¢

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510dh
    DH¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥µ¥¤¥È¤¬48.2%¤â¤¢¤ê¡¢°Å¹æ¶¯ÅÙ¤¬½½Ê¬¤Ç¤Ê¤¤DH1024bit¤â¸º¤Ã¤Æ¤Ï¤¤¤ë¤â¤Î¤Î¡¢28.9%¤â¤¢¤ê¡¢¤¤¤í¤ó¤Ê°Õ¸«¤Ï¤¢¤ë¤Ç¤·¤ç¤¦¤¬¡¢DH(E)¤Ï»È¤ï¤º¤ËECDH(E)¤ò»È¤¦¤Î¤¬Îɤ¤¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬34.2%¤Ë¤Þ¤Ç¸º¤ê¡¢ECC 256bit¤ò»È¤¨¤ë¥µ¥¤¥È¤¬61.9%¤Ë¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£¤«¤Ê¤êÉáµÚ¤·¤Æ¤­¤¿¤È¤¤¤¦´¶¤¬¤¢¤ê¡¢¡Ö²¿¤â¹Í¤¨¤º¤Ë¤È¤ê¤¢¤¨¤ºECDHE»È¤¨¤ë¤è¤¦¤Ë¤·¤È¤±¡ª¡×¤È»×¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ¹Ö±é»ñÎÁ2Ëܺî¤é¤Ê¤¤¤È¥Þ¥¸¤Ç¤ä¤Ð¤¹¡£º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    Deep Inside Certificate Transparency (¤½¤Î1)

    Certificate Transparency(°Ê²¼CT)¤Ë¤Ï¿§¡¹ÌäÂ꤬¤¢¤Ã¤Æ²¿¤À¤«¤Ê¡Á¡Á¡Á¤È»×¤Ã¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¤¬¡¢»³¤¬¤½¤³¤Ë¤¢¤Ã¤¿¤é¡¢ÅФꤿ¤¯¤Ê¤ë¤Î¤â¤Þ¤¿¿Í¾ð¡Ê¡°¡°¡¨ CT¥í¥°¥µ¡¼¥Ð¡¼¤ä³ÊǼ¤µ¤ì¤Æ¤¤¤ë¥Ç¡¼¥¿¤Ë¤Ä¤¤¤Æ¡¢¤¤¤í¤ó¤Ê¥Ä¡¼¥ë¤òºî¤ê¤Ê¤¬¤éÄ´ºº¤ò¤·¤Æ¤¤¤Þ¤¹¡£²¿²ó¤«¤Ëʬ¤±¤Æ¡¢CT¤Ë¤Ä¤¤¤Æ¤ï¤«¤Ã¤¿¤³¤È¤ò½ñ¤¤¤Æ¤¤¤³¤¦¤È»×¤Ã¤Æ¤Þ¤¹¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ

    CT¤ËÂбþ¤·¤Æ¤¤¤ë¤³¤È¤ò¼¨¤¹¤¿¤á¤Ë¡¢´ö¤Ä¤«ÊýË¡¤Ï¤¢¤ë¤Î¤Ç¤¹¤¬¡¢¼ÂºÝ¤ËÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ïȯ¹Ô¤¹¤ë¾ÚÌÀ½ñ¤ËSigning Time Stamp(SCT)³ÈÄ¥¤òËä¤á¹þ¤à¤³¤È¤Ç¤¹¡£TLS¤Î³ÈÄ¥¤äOCSP¤È¤Ä¤¤¤Ç¤ËÅϤ¹¤È¤¤¤¦ÊýË¡¤Î¼ÂÁõ¤ò¸«¤¿¤³¤È¤¬¤¢¤ê¤Þ¤»¤ó¡£

    SCT³ÈÄ¥¤ò´Þ¤á¤ë¤¿¤á¤Ë¤Ï¥×¥ì¾ÚÌÀ½ñ¤Ê¤ë¾ÚÌÀ½ñ¤¬É¬Íפˤʤë¤ó¤Ç¤¹¤¬¡¢¥×¥ì¾ÚÌÀ½ñ¤¬¤É¤ó¤Ê¤â¤Î¤«¡¢¤É¤ó¤Ê¥Õ¥í¡¼¤Çȯ¹Ô¤µ¤ì¤ë¤Î¤«¤Ï¤³¤Î¥¹¥é¥¤¥É¤ÇÀâÌÀ¤·¤Æ¤¤¤Þ¤¹¡£DigiCert¤µ¤ó¤Î´ö¤Ä¤«¤Î¥Ú¡¼¥¸¤Ç¤â¥×¥ì¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¤è¤«¤Ã¤¿¤é¤´Í÷¤¯¤À¤µ¤¤¡£ [1] [2] [3]

    ¤³¤ì¤Þ¤Ç¤ËCT¤Î»ÅÁȤߤ¬Æ³Æþ¤µ¤ì¤ëÁ°¤Î¾ÚÌÀ½ñ¡¢CT¤ËÂбþ¤¹¤ëͽÄê¤Î¤Ê¤«¤Ã¤¿¾ÚÌÀ½ñ¤Ë´Ø¤·¤Æ¤ÏCT¤Î¥í¥°¥µ¡¼¥Ð¡¼¤ËÉáÄ̤ËX.509¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤¬³ÊǼ¤µ¤ì¤ë¤ó¤Ç¤¹¤¬¡¢CT¤Ë¤Þ¤È¤â¤ËÂбþ¤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥Ù¥ó¥À¡¼¤Î¾ÚÌÀ½ñ¤Ï¡¢¥×¥ì¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤¬³ÊǼ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Chrome¤Ç¡Ö¸ø³«´Æºº¾ðÊ󤬤¢¤ê¤Þ¤¹¡×¤Èɽ¼¨¤µ¤ì¤ë¤â¤Î¤Ë¤Ä¤¤¤Æ¤â¡¢¥×¥ì¾ÚÌÀ½ñ¥Ù¡¼¥¹¤ÎSCT³ÈÄ¥¤¬X.509¾ÚÌÀ½ñ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤â¤Î¤·¤«¡¢¤³¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£

    º£Æü¤Î»þÅÀ¤Ç¡¢Google pilot¤ÎCT¥í¥°¥µ¡¼¥Ð¡¼¤Ë¤ÏÌó670Ëü¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¤¦¤Á¥×¥ì¾ÚÌÀ½ñ¤È¤·¤ÆÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë¤â¤Î(=Chrome¤Ç¸ø³«´Æºº¤¢¤ê¤Èɽ¼¨¤µ¤ì¤ë¤â¤Î)¤Ï16ËüËçʬ¤·¤«¤¢¤ê¤Þ¤»¤ó¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô¿ä°Ü

    Google pilot¥í¥°¥µ¡¼¥Ð¡¼¤Ø¤Î¥¨¥ó¥È¥ê¤ÎÅÐÏ¿¼«ÂΤÏ2013ǯ3·î26Æü¤«¤é¡¢´û¸¤Î¾ÚÌÀ½ñ(¥Ñ¥¹)¤Ë¤Ä¤¤¤ÆÅÐÏ¿¤¬³«»Ï¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢CTƳÆþ°Ê¹ß¤Î¥×¥ì¾ÚÌÀ½ñȯ¹ÔËç¿ô¿ä°Ü¤ò¥°¥é¥Õ¤Ç¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    blog-pre
    ºÇ½é¤Î¥×¥ì¾ÚÌÀ½ñ¤¬Google pilot¤ÎCT¥í¥°¥µ¡¼¥Ð¡¼¤ËÅÐÏ¿¤µ¤ì¤¿¤Î¤¬¡¢2013ǯ11·î¤Ç¡¢¥×¥ì¾ÚÌÀ½ñ¤È¤¤¤¦¤«SCTÂбþ¤Î¾ÚÌÀ½ñȯ¹Ô¤ò¥µ¡¼¥Ó¥¹¤È¤·¤ÆÀµ¼°¤Ë¥µ¥Ý¡¼¥È¤·»Ï¤á¤¿¤Î¤Ï2014ǯ12·îº¢¤Ç¤¢¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    CT¤ÎÂбþ¤¬Áᤫ¤Ã¤¿¤Î¤Ï¤É¤³¤Îǧ¾Ú¶É(¥Ö¥é¥ó¥É)¤«

    2015ǯ9·î»þÅÀ¤Ç¡¢96¤ÎÃæ´Öǧ¾Ú¶É(¥µ¥ÖCA)¡¢30¤Î¥Ö¥é¥ó¥É¤¬¥×¥ì¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤¤¤Þ¤¹¡£ ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹Ô¤¬Áᤫ¤Ã¤¿30¤Î¥Ö¥é¥ó¥É¤Î½ç½ø¡¢È¯¹ÔÆü¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤·¤¿¡£

    ǧ¾Ú¶É¥Ö¥é¥ó¥É½é¥×¥ì¾ÚÌÀ½ñȯ¹ÔÆü
    DigiCert2013ǯ11·î01Æü
    COMODO2014ǯ01·î23Æü
    TAIWAN-CA2014ǯ05·î09Æü
    Entrust2014ǯ07·î21Æü
    AffirmTrust2014ǯ10·î27Æü
    Symantec2014ǯ11·î11Æü
    GlobalSign2014ǯ11·î28Æü
    GeoTrust2014ǯ12·î08Æü
    Thawte2014ǯ12·î08Æü
    Buypass2014ǯ12·î10Æü
    Network Solutions2014ǯ12·î15Æü
    USERTRUST2014ǯ12·î16Æü
    Trend Micro2014ǯ12·î22Æü
    Starfield2014ǯ12·î23Æü
    Go Daddy2014ǯ12·î23Æü
    TERENA2014ǯ12·î29Æü
    Trustwave2015ǯ01·î05Æü
    Cybertrust2015ǯ01·î07Æü
    VeriSign2015ǯ01·î12Æü
    QuoVadis2015ǯ01·î14Æü
    HydrantID2015ǯ01·î22Æü
    Google UK2015ǯ01·î27Æü
    Aetna2015ǯ01·î29Æü
    IZENPE2015ǯ02·î04Æü
    Certum2015ǯ02·î05Æü
    Camerfirma2015ǯ02·î20Æü
    NCC2015ǯ03·î30Æü
    SECOM Trust2015ǯ04·î30Æü
    Actalis2015ǯ05·î18Æü
    WoSign2015ǯ08·î20Æü
    CT¤Î»ÅÍͺöÄê¤ä¼ÂÁõ¤Ê¤É¤ÇGoogle¤È¶¨ÎÏ´Ø·¸¤Ë¤¢¤Ã¤¿DigiCert¤¬Âбþ¤¬Áᤤ¤Î¤Ï¤¤¤¤¤È¤·¤Æ¡¢ÂæÏѤÎTAIWAN-CA(TWCA)¤¬ÂбþÁᤫ¤Ã¤¿¤ó¤Ç¤¹¤Í¤§¡£ÆüËܤΥ٥ó¥À¡¼¤µ¤ó¤â´èÄ¥¤Ã¤Æ¤¤¤Þ¤¹¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô½ç°Ì

    ¼¡¤Ë¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô¤Ç¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£Âç¼ê¤¬Â¿¤¤¤Î¤ÏÅö¤¿¤êÁ°¤È¤·¤Æ¡¢ Cybertrust¤µ¤ó´èÄ¥¤Ã¤Æ¤¤¤ë´¶¤¬¤¢¤ê¤Þ¤¹¤Í¡£ ¤½¤¦¤¤¤¨¤Ð¡¢StartSSL¤Ï¤É¤¦¤Ê¤Ã¤Æ¤ë¤ó¤Ç¤·¤ç¤¦¤«¡£ 10ËçÄøÅٰʲ¼¤Î¤È¤³¤í¤Ï¡¢¤Þ¤À¥Æ¥¹¥ÈÃæ¤Ã¤Æ´¶¤¸¤Ç¤¹¤«¤Í¡£

    ǧ¾Ú¶É¥Ö¥é¥ó¥É¥×¥ì¾ÚÌÀ½ñȯ¹ÔËç¿ô
    Symantec50760
    DigiCert20856
    GeoTrust17447
    COMODO14573
    Cybertrust13020
    Go Daddy12635
    Thawte9891
    Entrust6616
    GlobalSign6063
    TERENA2363
    QuoVadis1873
    Google UK1861
    Starfield1262
    Network Solutions939
    Trend Micro615
    Certum367
    VeriSign196
    WoSign187
    Trustwave177
    SECOM Trust161
    Buypass154
    IZENPE116
    TAIWAN-CA76
    HydrantID37
    Aetna34
    NCC25
    AffirmTrust10
    Actalis7
    USERTRUST7
    Camerfirma4

    ¤É¤ó¤Ê¥Ä¡¼¥ë¤ò¤Ä¤¯¤Ã¤¿¤«

    Ä´¤Ù¤ë¤Ë¤¢¤¿¤Ã¤Æ¤Ï¡¢Perl¤äNode(+jsrsasign)¤Ê¤É¤Ç´ö¤Ä¤«¥Ä¡¼¥ë¤òºî¤Ã¤¿¤ê¤Ü¤Á¤Ü¤Á´Ä¶­¤òÀ°È÷¤·¤Æ¤¤¤Þ¤¹¡£¸ø³«¤·¤Æ¤â¤¤¤¤¤ó¤Ç¤¹¤±¤É¡¢¥É¥­¥å¥á¥ó¥ÈÀ°È÷¤·¤¿¤ê¡¢¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤Ê¤É¤Á¤ã¤ó¤Èºî¤ê¹þ¤Þ¤Ê¤¤¤È¡¢¡Ö¥É¥­¥å¥á¥ó¥È¤¬¤Ê¤¤¤«¤é»È¤¤¤â¤ó¤Ë¤Ê¤ó¤Í¡Á¡Á¡ª¡ª¡×¤È¤«Åܤé¤ì¤ÆÈó¾ï¤Ë¥Ø¥³¤à¤ó¤¹¤è¤Í¡£¥ª¡¼¥×¥ó¥½¡¼¥¹¤Ê¤ó¤À¤«¤é¡¢¤Á¤ç¤Ã¤È¥³¡¼¥É¤ß¤Æ¤¯¤ì¤ê¤ã¤¤¤¤¤·¡¢¥Æ¥¹¥È¥³¡¼¥É¸«¤ê¤ã¤½¤Î¤Þ¤Þ»È¤¤Êý¥º¥Ð¥ê¤Ê¤Î¤Ç¡¢¡¢¡¢¤È»×¤¦¤ó¤¹¤±¤É¤Í¡Á¡Á¡Á¡£(jsrsasign¤Î¶òÃԤäݤ¯¤Æ¤¹¤ß¤Þ¤»¤ó¡£)

    ¤¶¤Ã¤¯¤ê¤³¤ó¤Ê¥Ä¡¼¥ë¤òºî¤Ã¤Æ¤ß¤Æ¤¤¤Þ¤¹¡£(¾¤Ë¤â¤¤¤í¤¤¤í¤¢¤ê¤Þ¤¹¤¬¡¢º£²ó¤Ë´Ø·¸¤¹¤ëʬ¤À¤±¡£)

    • ¥×¥ì¾ÚÌÀ½ñ¤È¤½¤Î²òÀϾðÊó¤À¤±¤ò½¸¤á¤¿SQLite¥Ç¡¼¥¿¥Ù¡¼¥¹
    • ¥í¥°¥¨¥ó¥È¥ê¤Îleaf_inputÊݸ¥Ä¡¼¥ë
    • ¥í¥°¥¨¥ó¥È¥ê¤Îextra_dataÊݸ¥Ä¡¼¥ë
    • ¥í¥°¥¨¥ó¥È¥ê¤«¤é¥×¥ì¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤ò¼è¤ê½Ð¤·¤Æ¾ÚÌÀ½ñ¤È¤·¤ÆÊݴɤ¹¤ë¥Ä¡¼¥ë
    • leaf_input¤Î¥Ç¡¼¥¿¥Õ¥¡¥¤¥ë¤Î²òÀϥġ¼¥ë
    • ¥×¥ì¾ÚÌÀ½ñ¤ÎTBSCertificate¤«¤é¥Ë¥»½ð̾¤ò¤Ä¤±¤ÆŬÅö¤Ê¾ÚÌÀ½ñ¤Ë»ÅΩ¤Æ¤ë¥Ä¡¼¥ë (TBSCertificate¥Ó¥å¡¼¥¢¡¼¤Ã¤Æ°ìÈÌŪ¤Ë̵¤¤¤Î¤Ç¤³¤ì¤¬¤Ç¤­¤ë¤È ÉáÄ̤ξÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼(openssl x509¥³¥Þ¥ó¥É¤Ê¤É)¤¬»È¤¨¤ë¤Î¤Ç¤È¤Æ¤âÊØÍø¡£)
    • ¥í¥°¥¨¥ó¥È¥ê¤ÎÅÐÏ¿Æü¤òɽ¼¨¤¹¤ë¥Ä¡¼¥ë

    ¤ª¤ï¤ê¤Ë

    º£²ó¤Ï¡¢¥í¥°¥Ç¡¼¥¿¥Ù¡¼¥¹¤òÄ´¤Ù¤Æ¤ï¤«¤Ã¤¿¡¢Åý·×Ū¤ÊÏäòÃæ¿´¤Ë¥ì¥Ý¡¼¥È¤·¤Þ¤·¤¿¡£¼¡²ó¤Ï¥Ç¡¼¥¿¹½Â¤¡¢¥×¥ì¾ÚÌÀ½ñ¤ÎÆâÍƤʤ󤫤òÃæ¿´¤Ë½ñ¤±¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤Þ¤¹¡£¤Ç¤Ï¤Ç¤Ï¡£

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ8·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 6·î¤Ë°ú¤­Â³¤­º£·î¤â8·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201508-vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤ë¤Ê¤É¡¢¤ª¤ª¤à¤Í½çÄ´¤Ê´¶¤¸¤¬¤·¤Þ¤¹¤Í¡£¤Ä¤Þ¤é¤ó¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201508-ssl
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬35.0%¤Þ¤Ç½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201508-crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬31.9%¡¢SHA256withRSA¤¬67.2%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201508-new
    ¤¦¡Á¤à¡¢¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-dh
    °Å¹æ¶¯Å٤ν½Ê¬¤Ç¤Ê¤¤DH1024bit¡¢512bit¤ÎÍøÍѤϽçÄ´¤Ë¸º¤ê¡¢2048bit¤ÏÁý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤¦¤Ï¤¤¤Ã¤Æ¤âÂ礷¤¿Î¨¤Ç¤Ê¤¯¡¢¤ä¤Ï¤êDH/DHE¤Ï»È¤ï¤Ê¤¤¤Î¤¬Îɤ¤¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬½çÄ´¤Ë¸º¤ê¡¢»È¤¨¤ë¥µ¥¤¥È¤¬Áý¤¨¤Æ¤ª¤ê¡¢ECC 256bit¤ÎECDH/ECDHE¤¬»È¤¨¤ë¥µ¥¤¥È¤¬58.5%¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    º£½µ¤Ï¡¢¥»¥­¥å¥ê¥Æ¥£¡¦¥­¥ã¥ó¥×Á´¹ñÂç²ñ¤ËÍè¤Æ¤¤¤ë¤Î¤Ç¡¢¤¢¤Ã¤µ¤êÉ÷Ì£¤Ç¡£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ6·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 5·î¤Ë°ú¤­Â³¤­6·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ËÜÅö¤Ï³Ö·î¤Ë¤·¤è¤¦¤È»×¤Ã¤Æ¤¿¤ó¤Ç¤¹¤¬¡¢Logjam¤Î±Æ¶Á¤¬¸«¤¿¤«¤Ã¤¿¤Î¤Çº£·î¤Ï¤ä¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£ (¥¦¥½¡¢º£·î¤Ï¤ä¤é¤Ê¤¯¤ÆÎɤ¤·î¤À¤Ã¤¿¤Î¤Ë˺¤ì¤Æ¤Æ¥°¥é¥Õ¤òºî¤Ã¤Æ¤·¤Þ¤Ã¤¿¤À¤±¤Ç¤¹orz )

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201506vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201506proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤ª¤ê¡¢¥µ¥Ý¡¼¥È¤¹¤ë¥µ¥¤¥È¤Ï37.6%¤Þ¤Ç¤Ë¸º¤ê¤Þ¤·¤¿¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201506crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢SHA1¤ÈSHA2¾ÚÌÀ½ñ¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ß¡¢SHA2¤¬60%¡¢SHA1¤¬40%¤Þ¤Ç¤­¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201506adv
    OCSP staplingÂбþΨ¤Ï¿­¤Ó¤«¤«¤Ã¤¿¤Î¤Ë¤Þ¤¿Ìá¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506kx
    ¸°¸ò´¹¤Î¾ðÊó¤¬3·î¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¤è¤¦¤ä¤¯·¹¸þ¤¬¤Ä¤«¤á¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Æ¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506dh
    ¼å¤¤Í¢½Ð¥°¥ì¡¼¥É¤ÎDH(E)¸°¤Î¥À¥¦¥ó¥°¥ì¡¼¥É¤Ë¤è¤ëLogjamÀȼåÀ­¤¬5·î¤Ë¸øɽ¤µ¤ì¤¿¤³¤È¤Ç¡¢Á´ÂÎŪ¤ËDH¸°¸ò´¹¤Î¸°Ä¹¤¬Áý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤È¤Ï¸À¤Ã¤Æ¤â2¡¢3%¤ÎÊѲ½¤·¤«¤Ê¤¯¡¢ ¤ä¤Ï¤êDH¸°¸ò´¹¤Î¸°Ä¹¤òÁý¤ä¤¹¤è¤¦ÀßÄꤹ¤ë¤è¤ê¤â¡¢DH¸°¸ò´¹¤Ï»È¤ï¤º¡¢ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¦¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    LogjamÀȼåÀ­¤Îȯ¸«¼Ô¤Î°ì¿Í¤Ç¤¢¤ëMatthew GreenÀèÀ¸¤Î¥Ö¥í¥°¤Ë¤è¤ë¤È¡¢¤³¤Î¹¶·â¤òÀ®¸ù¤µ¤»¤ë¤Ë¤ÏÃæ´Ö¼Ô¤¬¥Ï¥ó¥É¥·¥§¥¤¥¯Ãæ¤Î½½Ê¬Ã»¤¤»þ´Ö¤ÇDH¸°¤Î²òÆɤò¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤½¤¦¤Ç¤¹¤¬¡¢¤¢¤ë¸°¥Ñ¥é¥á¡¼¥¿¡¼¤Ë¤Ä¤¤¤Æ»öÁ°·×»»¤ò¤·¤Æ¤ª¤±¤Ð¤³¤ì¤Ï²Äǽ¤Ç¤¢¤ê¡¢512bit¤Ê¤é°ìÈÌŪ¤Ê´Ä¶­¤Ç¤â¿ô½½ÉäDzò¤¯¤³¤È¤Ï²Äǽ¤Ç¤¢¤ê¡¢1024bit¤Î¾ì¹ç¡¢°ìÈÌŪ¤Ê´Ä¶­¤Ç¤Ï̵Íý¤«¤â¤·¤ì¤Ê¤¤¤¬NSA¤Î¤è¤¦¤ÊĵÊ󵡴ؤǤ¢¤ì¤Ð¡¢¤½¤Îͽ»»¤ÈÈæ³Ó¤·¤ÆÁ´¤¯ÉÔ²Äǽ¤È¤¤¤¦ÃͤǤâ¤Ê¤¤¤È¤¤¤¦¤³¤È¤Ç¤¹¡£Éݤ¤¤Ç¤¹¤Í¡Á¡Á¡Á¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506ecdh
    ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¨¤ë¥µ¥¤¥È¤È¡¢»È¤¨¤Ê¤¤¥µ¥¤¥È¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢ECC 256bit¤ÎÍøÍѤ¬½çÄ´¤Ë¿Ê¤ó¤Ç¤¤¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    Íè½µ·îÍˤÏJNSA¤ÎÊÙ¶¯²ñ¤Ê¤Î¤Ç¡¢Á᤯»ñÎÁºî¤é¤ó¤È¤¤¤«¤ó¤Ê¤¡¡£¤·¤«¤·¡¢¤ª¤®¤ã¡Á¤µ¤ó¤Ï¡¢¤â¤Î¤¹¤´¤¤½¸µÒÎϤÀ¤Ê¤¡¡£

    ´ØÏ¢µ­»ö

    CRYPTREC/IPA¡ÖSSL/TLS°Å¹æÀßÄꥬ¥¤¥É¥é¥¤¥ó¡×¤Î¸ø³«¤ÈÈó¸ø¼°ÀßÄê¥Õ¥¡¥¤¥ëÀ¸À®¥Ä¡¼¥ë¤Î¸ø³«

    2015ǯ5·î12Æü¤Ë¡¢IPA¤Î¥µ¥¤¥È¤ÇCRYPTREC¤ÎWG¤ÇºîÀ®¤·¤¿ ¡ÖSSL/TLS°Å¹æÀßÄꥬ¥¤¥É¥é¥¤¥ó¡×¤¬¸ø³«¤µ¤ì¤Þ¤·¤¿¡£

    ¤³¤ÎSS/TLSÀßÄꥬ¥¤¥É¥é¥¤¥ó¤¬ºîÀ®¤µ¤ì¤¿Çطʤ䳵ÍפϵÆÃÓÀèÀ¸¤Î CRYPTREC¥·¥ó¥Ý¥¸¥¦¥à2015¤Ç¤Î ¹Ö±é»ñÎÁ¤Ë¤ï¤«¤ê¤ä¤¹¤¯½ñ¤¤¤Æ¤¢¤ê¤Þ¤¹¤Î¤Ç¡¢¤³¤ì¤ò¤´Í÷ĺ¤¯¤Î¤¬ °ìÈ֤褤¤«¤È»×¤¤¤Þ¤¹¡£

    ¤³¤Î¥¬¥¤¥É¥é¥¤¥ó¤Ï¥µ¡¼¥Ð¡¼´ÉÍý¼Ô¸þ¤±¤Ë¡¢ ¤Ê¤ë¤Ù¤¯°Å¹æ¤Î¤³¤È¤ÏºÙ¤«¤¯¿¨¤ì¤º¤Ë¡¢ (¤È¤Ï¤¤¤¨ºÙ¤«¤¤°Å¹æ¤ÎÏä⿤¤¤Ç¤¹¤¬¡¢¡¢¡¢) ºòǯÅÙ¡¢ÆäË¿¤«¤Ã¤¿SSL/TLS´ØÏ¢¤ÎÍÍ¡¹¤ÊÀȼåÀ­¤ËÂФ·¤Æ¡¢ ¤É¤Î¤è¤¦¤ËÀßÄꤹ¤ì¤Ð¤¤¤¤¤Î¤«¤ò²òÀ⤷¤Æ¤¤¤Þ¤¹¡£ ¾Ò²ð¤µ¤ì¤Æ¤¤¤ë¥³¥é¥à¤Ê¤ÉÆɤßʪ¤È¤·¤Æ¤â¤Ê¤«¤Ê¤«¤ª¤â¤·¤í¤¤¤Î¤Ç¡¢ À§Èó¤´Í÷¤¤¤¿¤À¤±¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

    ¥¬¥¤¥É¥é¥¤¥ó¤Ç¤Ï¡¢ÍÑÅӤ˱þ¤¸¤Æ3¤Ä¤Î¥¿¥¤¥×¤Ëʬ¤±¤ÆÀßÄê¤ò¾Ò²ð¤·¤Æ¤¤¤Þ¤¹¡£

    • À¯ÉÜ¡¦¶âÍ»¡¦°åÎŤʤɹ⤤¥»¥­¥å¥ê¥Æ¥£¤¬µá¤á¤é¤ì¤ë¾ì¹ç¤ÎÀßÄꢪ¹â¥»¥­¥å¥ê¥Æ¥£·¿
    • °ìÈÌŪ¤Ê¿ä¾©ÀßÄꢪ¿ä¾©¥»¥­¥å¥ê¥Æ¥£·¿
    • ¸Å¤¤¥Ö¥é¥¦¥¶¡¢¥²¡¼¥àµ¡¡¢¥Õ¥£¡¼¥Á¥ã¡¼¥Õ¥©¥ó¤Ê¤É¤Ø¤ÎÂбþ¤âɬÍפʾì¹ç¢ª¥»¥­¥å¥ê¥Æ¥£Îã³°·¿

    Æä˰Ź楹¥¤¡¼¥È¤ä¥×¥í¥È¥³¥ë¤ÎÀßÄê¤ò¡¢ºòº£¤ÎÀȼåÀ­¡¦°Å¹æ´íËز½¤Ë¾È¤é¤·¤Æ ¤É¤Î¤è¤¦¤ËÀßÄꤹ¤ë¤Î¤«¤È¤¤¤¦¤Î¤¬¡¢´ÉÍý¼Ô¤Î¤ß¤Ê¤µ¤óǺ¤Þ¤·¤¤¤È¤³¤í¤À¤È»×¤¦¤Î¤Ç¤¹¤¬¡¢ ¤³¤ì¤ò´¬Ëö¤ÎAppendix¤Ë¤Æ¡¢¶ñÂÎŪ¤Ë¤É¤Î¥µ¡¼¥Ð¡¼¤Ç¤Ï¤É¤¦ÀßÄꤹ¤ì¤Ð¤è¤¤¤Î¤«¤ò µ­ºÜ¤·¤Æ¤¤¤Þ¤¹¡£

    ¤¿¤À¡¢¤¢¤ì¤òÁ´ÉôÆɤó¤ÇÆ°¤¯ÀßÄê¥Õ¥¡¥¤¥ë¤òºî¤ë¤Î¤Ã¤Æ¥Ú¡¼¥¸¿ô¤â¿¤¤¤··ë¹½¹ü¤¬ÀÞ¤ì¤ë¤«¤Ê¤È»×¤¤¤Þ¤¹¡£ ¤½¤³¤Ç¡¢¥¬¥¤¥É¥é¥¤¥ó¤Î¸ø³«¤òµ­Ç°¤·¤Æ¡¢ ¥¬¥¤¥É¥é¥¤¥ó¤Î¥¿¥¤¥×¤ä¥µ¡¼¥Ð¡¼¤Î¼ïÎà¤òÁª¤ó¤Ç¡¢¥Ü¥¿¥ó¤ò²¡¤»¤ÐÀßÄê¥Õ¥¡¥¤¥ë¤¬ ºî¤ì¤ë¤è¤¦¤Ê¥Ä¡¼¥ë¤òºî¤Ã¤Æ¤ß¤Þ¤·¤¿¡£(¤Ñ¤Á¤Ñ¤Á¤Ñ¤Á)

    HTTPSÀßÄê¥Õ¥¡¥¤¥ëÀ¸À®¥Ä¡¼¥ë0.2(¥Ù¡¼¥¿ÈÇ)
    https://kjur.github.io/jsrsasign/tool/tool_httpscfg.html

    º£¤Î¤È¤³¤í¡¢Apache¤Ènginx¤À¤±¤À¤Ã¤¿¤ê¡¢¿ä¾©ÀßÄê¤Î°ìÉô¤À¤±¤À¤Ã¤¿¤ê¤¹¤ë¤ó¤Ç¤¹¤¬¡¢ ¥×¥í¥È¥³¥ë¤ä°Å¹æ¥¹¥¤¡¼¥È¤Ê¤É¤Ï²¡¤µ¤¨¤Æ¤¤¤ë¤Î¤Ç¡¢¤è¤«¤Ã¤¿¤é»È¤Ã¤Æ¤ß¤Æ¤¯¤À¤µ¤¤¡£
    IMG_0216
    »ú¤Ï¾®¤µ¤¤¤Ç¤¹¤¬¡¢¥¹¥Þ¥Û¥Ö¥é¥¦¥¶¤Ç¤âÀßÄê¥Õ¥¡¥¤¥ë¤¬ºî¤ì¤Þ¤¹¡£¤Ü¤Á¤Ü¤Á¥¢¥Ã¥×¥Ç¡¼¥È¤·¤Æ ¥Õ¥ëÂбþ¤Ë¤·¤Þ¤¹¤Î¤Ç¡¢¸ð¤¦¤´´üÂԤäƤ³¤È¤Ç¡£

    ¤¢¤È¡¢¤³¤Î¥Ä¡¼¥ë¤ÎÌÌÇò¤¤¤Î¤ÏCRYPTREC/IPA¤Î¥¬¥¤¥É¥é¥¤¥ó¤À¤±¤Ç¤Ê¤¯¡¢ Mozilla¤äQualys¤Ê¤É¤Î¿ä¾©ÀßÄê¤ä¡¢Linux·ÏOS¤Î¥Ç¥Õ¥©¥ë¥ÈÀßÄê¤â »î¤»¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë½ê¤Ç¤¹¡£°Å¹æ¥¹¥¤¡¼¥È¤ÎÀßÄê¤ß¤Æ¥Ë¥ä¥Ë¥ä¤·¤Æ¤¤¤¿¤À¤±¤ì¤Ð¤È¡¢¡¢¡¢

    º£Æü¤Ï¤³¤ÎÊդǡ¢¡¢¡¢

    (Äɵ­ 2021.03.25) ¥Ä¡¼¥ë¤Î¥ê¥ó¥¯ÀÚ¤ì¤ò½¤Àµ¤·¤Þ¤·¤¿¡£

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ5·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 3·î¤Ë°ú¤­Â³¤­5·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ³Ö·î¤Ç¸«¤Æ¤¤¤±¤¿¤é¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡Ê¡°¡°¡¨

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201505vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201505proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤ª¤ê¡¢¥µ¥Ý¡¼¥È¤¹¤ë¥µ¥¤¥È¤Ï40%¤Þ¤Ç¤Ë¸º¤ê¤Þ¤·¤¿¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201505cert
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢SHA1¤ÈSHA2¾ÚÌÀ½ñ¤ÎÈæΨ¤¬µÕž¤·¤Þ¤·¤¿¡£º£·î¤Î¥°¥é¥Õ¤ÇºÇ¤âÆÃħŪ¤Ê»ö¤«¤È»×¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201505adv
    OCSP staplingÂбþΨ¤Ï½çÄ´¤Ë¿­¤Ó¤Æ¤¤¤Þ¤¹¤¬¡£Â礷¤¿¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505kx
    ¸°¸ò´¹¤Î¾ðÊó¤¬3·î¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¤è¤¦¤ä¤¯·¹¸þ¤¬¤Ä¤«¤á¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Æ¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505dh
    DH¸°¸ò´¹¤ËÂбþ¤¹¤ë¥µ¥¤¥È¤Ï¤ï¤º¤«¤Ê¤¬¤éÁý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢2048bit¤À¤±¤Ç¤Ê¤¯¡¢°ÂÁ´¤Ç¤Ê¤¤¤È¤µ¤ì¤ë1024bit¤âÁý¤¨¤Æ¤¤¤ë¤³¤È¡¢¤Þ¤¿¤½¤ì°Ê¾å¤Ë°ÂÁ´¤Ç¤Ê¤¤512bit¤¬»È¤ï¤ì¤Æ¤¤¤ë¤³¤È¤ÏÈó¾ï¤ËÌäÂê¤Ç¤¹¡£¤³¤Î¤è¤¦¤Ê·¹¸þ¤«¤é¤â¡¢DH¸°¸ò´¹¤Î¸°Ä¹¤òÁý¤ä¤¹¤è¤¦ÀßÄꤹ¤ë¤è¤ê¤â¡¢DH¸°¸ò´¹¤Ï»È¤ï¤º¡¢ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¦¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ÀèÆü¥Ö¥í¥°¤Ë½ñ¤¤¤¿TLS¤Î¼ÂÁõ¤ÈƳÆþ¾å¤Î¿ä¾©¤ò¤Þ¤È¤á¤¿RFC 7525¤Î4.4Àá¤Ë¤âDH¸°¸ò´¹¤Î²ÝÂ꤬À°Íý¤µ¤ì¤Æ¤ª¤ê¡¢RFC 7525¤Ç¤Ï¡Ö»È¤¦¤Ê¡×¤È¤Ï¸À¤Ã¤Æ¤¤¤Þ¤»¤ó¤¬¡¢¤³¤ì¤òÆɤà¤ÈDH·Ï¤Î¸°¸ò´¹¤Ï»È¤¦¤Ù¤­¤Ç¤Ï¤Ê¤¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505ecdh
    ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¨¤ë¥µ¥¤¥È¤È¡¢»È¤¨¤Ê¤¤¥µ¥¤¥È¤ÎÈæΨ¤¬µÕž¤·¡¢ECDH·Ï¤Î¸°¸ò´¹¤Ø¤ÎÂбþ¤¬È¾¿ô¤òĶ¤¨¤Æ¤­¤Þ¤·¤¿¡£ECDH·Ï¸°¸ò´¹¤ò»È¤¨¤Ê¤¤ÈæΨ¤Î¸º¤êÊý¤¬DH¤ËÈæ¤Ù¤Æ¸²Ãø¤Ç¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ¤Ê¤ó¤«º£½µËö¤Ï¥Ö¥í¥°¥é¥Ã¥·¥å¤Ã¤¹¤Í¡£¥á¥Ã¥»¡¼¥¸Æþ¤êSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î·ï¤¬½ñ¤±¤Ê¤«¤Ã¤¿¤Ê¤¡¡£º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    ¡ÖRFC 7525 TLS¤ÈDTLS¤Î°ÂÁ´¤ÊÍøÍѤ˴ؤ¹¤ë¿ä¾©»ö¹à¡×¤Î¸ø³«

    2015ǯ5·î7Æü¤Ë¡ÖRFC 7525 TLS¤ÈDTLS¤Î°ÂÁ´¤ÊÍøÍѤ˴ؤ¹¤ë¿ä¾©»ö¹à(Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS))¡×¤¬¸ø³«¤µ¤ì¤Þ¤·¤¿¡£

    ºòǯ¤¢¤¿¤ê¡¢SSL/TLS¤Ç»È¤ï¤ì¤ë°Å¹æ¥¢¥ë¥´¥ê¥º¥à¡¢¥×¥í¥È¥³¥ë¤ä¼ÂÁõ¤Ë¤¤¤í¤¤¤í¤ÊÌäÂ꤬¸«¤Ä¤«¤ê¡¢À½Éʤò¤½¤Î¤Þ¤Þ¥Ç¥Õ¥©¥ë¥È¤Ç»È¤Ã¤Æ¤¤¤ë¤È¥í¥¯¤Ê¤³¤È¤¬Ìµ¤¤¤ï¤±¤Ç¤¹¤¬¡¢¤É¤ó¤Ê¤³¤È¤ËÃí°Õ¤·¤Ê¤¬¤é¼ÂÁõ¤äÀßÄê¤ò¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤«¤ò¥Ù¥¹¥È¥«¥ì¥ó¥È¥×¥é¥¯¥Æ¥£¥¹(¸½»þÅÀ¤Ç¤ÎºÇÎɤδ·¹Ô)¤È¤·¤Æ¤Þ¤È¤á¤¿RFC¤À¤½¤¦¤Ç¤¹¡£

    ºÇ¶á¡¢SSL/TLS¤ÎÀßÄê¥Í¥¿¤Ç¤ªÏä·¤¹¤ëµ¡²ñ¤ò夤¤¿¤ê¤·¤Æ¤ª¤ê¤Þ¤¹¤¬ [1] [2] ¡¢RFC 7525¤ò¤¶¤Ã¤È¸«¤¿¤È¤³¤í¡¢³µ¤Í°ã¤Ã¤¿¤³¤È¤Ï¸À¤Ã¤Æ¤Ê¤¤¤è¤¦¤Ë¤ª¤â¤¤¤Þ¤¹¡£º£Æü¤Ï¡¢RFC 7525¤Ë¤Ä¤¤¤Æ¡¢¤Á¤ç¤Ã¤È¸«¤Æ¤ß¤¿¤È¤³¤í¤ò½ñ¤¤¤Æ¤¤¤­¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    RFC 7525¤ÎÌÜŪ

    RFC 7525¤ÎÌÜŪ¤Ï¡¢»ÅÍͤ«¤é°Ê²¼¤Î2¤Ä¤Ê¤Î¤«¤Ê¤È»×¤¤¤Þ¤¹¡£

    • ºÇÄã¸ÂËþ¤¿¤¹¤Ù¤­¿ä¾©»ö¹à¤ò¼¨¤¹¡£
    • TLS 1.3¤¬ÉáµÚ¤¹¤ë¤Þ¤Ç¤Î¤Ä¤Ê¤®¤ÇÂбþ¤·¤Æ¤ª¤¯¤Ù¤­»ö¤ò¼¨¤¹¡£

    RFC 7525¤Î¥Ý¥¤¥ó¥È

    ³ÆÀᤫ¤é½¦¤Ã¤Æ¤­¤¿RFC 7525¤Î¥Ý¥¤¥ó¥È¤ò¤Þ¤È¤á¤ë¤È°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£

    • 3.1.1Àá TLS¥×¥í¥È¥³¥ë
      • POODLEÅù¤ÎÂкö¤È¤·¤Æ¡¢SSLv2¡¢SSLv3¤ÎÍøÍѶػß(MUST NOT)
      • CBC¥â¡¼¥ÉÂкö¤È¤·¤ÆTLS 1.0¤ÎÍøÍÑÍÞÀ©(SHOULD NOT)
      • TLS 1.2¤Î¼ÂÁõɬ¿Ü(MUST)
      • TLS 1.2¡¢TLS 1.1¡¢TLS 1.0¤Î½ç¤ÇÍ¥Àè(MUST)
    • 3.1.2Àá DTLS¥×¥í¥È¥³¥ë
      • DTLS 1.0¤ÎÍøÍÑÍÞÀ©(SHOULD NOT)
      • DTLS 1.2¤Î¼ÂÁõɬ¿Ü(MUST)
      • DTLS 1.2¡¢DTLS 1.0¤Î½ç¤ÇÍ¥Àè(MUST)
    • ¥×¥í¥È¥³¥ë¤½¤Î¾
      • 3.1.3Àá TLS 1.x ¤«¤éSSLv2¡¢SSLv3¤Î¥Õ¥©¡¼¥ë¥Ð¥Ã¥¯¶Ø»ß(MUST NOT)
      • 3.2Àá HSTS(HTTP Strict Transport Security)¥Ø¥Ã¥À¤Î¥µ¥Ý¡¼¥Èɬ¿Ü(MUST)
      • 3.3Àá CRIME¹¶·âÅù¤Î²óÈò¤Î¤¿¤áTLS°µ½Ì¤òÍøÍÑÍÞ»ß(SHOULD)
      • 3.4Àá ¥»¥Ã¥·¥ç¥óºÆ³«¤Ç¥»¥Ã¥·¥ç¥ó¥Á¥±¥Ã¥È¤ÎÄÌ¿®¤Ë¤ª¤±¤ëǧ¾Ú¤È°Å¹æ²½¤Ïɬ¿Ü(MUST)
      • 3.5Àá TLSºÆ¥Í¥´¥·¥¨¡¼¥·¥ç¥ó¤¬É¬Íפʾì¹ç¡¢renegotiation_info³ÈÄ¥¤Î¥µ¥Ý¡¼¥Èɬ¿Ü(MUST)
      • 3.6Àá Server Name Indication(SNI)¤Î¥µ¥Ý¡¼¥Èɬ¿Ü(MUST)
      • 4.5Àá Truncated HMAC TLS³ÈÄ¥¤ÎÍøÍѶػß(MUST NOT)
      • 6.5Àá ¾ÚÌÀ½ñ¼º¸ú¸¡¾Ú¤Ç¤Ï¡¢OCSP¡¢status_request¡¦status_request_v2 TLS³ÈÄ¥¡¢OCSP stapling³ÈÄ¥¤òÍøÍѤ¹¤Ù¤­(SHOULD)
    • 4Àá °Å¹æ¥¹¥¤¡¼¥È¤Î¿ä¾©
      • NULL°Å¹æ¥¹¥¤¡¼¥È¤Ç¤ÎÀܳ¶Ø»ß(MUST NOT)
      • RC4°Å¹æ¥¹¥¤¡¼¥È¤Ç¤ÎÀܳ¶Ø»ß(MUST NOT)
      • EXPORTÅù¡¢112¥Ó¥Ã¥È̤Ëþ¤Î°Å¹æ¥¹¥¤¡¼¥È¤Ç¤ÎÀܳ¶Ø»ß(MUST NOT)
      • 128¥Ó¥Ã¥È̤Ëþ¤Î°Å¹æ¥¹¥¤¡¼¥È¤Ç¤ÎÀܳÍÞ»ß(SHOULD NOT)
      • TLS_RSA_WITH_*¤ÎÀܳÍÞÀ©(SHOULD NOT)
      • DHE¡¢ECDHE¤Ê¤ÉPFS¤ò¥µ¥Ý¡¼¥È¤¹¤ë°Å¹æ¥¹¥¤¡¼¥È¤ÎÍ¥ÀèÀܳ¤Î¥µ¥Ý¡¼¥È(MUST)
      • TLS_{DHE,ECDHE}_RSA_WITH_AES_{128,256}_GCM_SHA{256,384}¤ò¿ä¾©(RECOMMENDED)
    • 4.3Àá ¸ø³«¸°Ä¹
      • DHE¸°¸ò´¹¤Î¾ì¹ç¡¢DH¸°Ä¹¤Ï2048bit°Ê¾å¤ò¿ä¾©(RECOMMENDED)
      • ECDH¸°¤Î¾ì¹ç¡¢192bit̤Ëþ¤Î¶ÊÀþ¤ÏÍøÍÑÍÞ»ß(SHOULD NOT)
    • 4.3Àá ¾ÚÌÀ½ñ
      • RSA¾ì¹ç¡¢¸°Ä¹2048bit°Ê¾å¤Î¾ÚÌÀ½ñ¤ò¿ä¾©(RECOMMENDED)
      • ¾ÚÌÀ½ñ¤Î½ð̾¤ÏSHA-256¤ÎÍøÍѤò¿ä¾©(RECOMMENDED)

    RFC 7525¤ò¸«¤Æµ¤¤Ë¤Ê¤Ã¤¿ÅÀ

    µ¤¤Ë¤Ê¤Ã¤¿ÅÀ¤ä´¶ÁÛŪ¤Ê¤â¤Î¤ò¤Þ¤È¤á¤Æ¤ß¤Þ¤¹¡£

    • ºÇ¾®¸Â¤Î¿ä¾©»ö¹à¤È¤¤¤¤¤Ê¤¬¤é¡¢MUST¡¢SHOULD¤Ë½¾¤Ã¤¿¤È¤¹¤ë¤È¤«¤Ê¤ê¸·³Ê¤ÊÍ×·ï¤Ç¡¢¤³¤ì¤ËÂбþ¤Ç¤­¤ë¤Î¤ÏºÇ¿·¤Î¥¦¥§¥Ö¥Ö¥é¥¦¥¶¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¤ß¤Ç¤¢¤ê¡¢¤Á¤ç¤Ã¤ÈÁ°¤ÎÁȤ߹þ¤ßµ¡´ï¡¢SSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤Ê¤É¤Ï¡¢¤³¤ì¤é¤ÎÍ×·ï¤òËþ¤¿¤¹¤³¤È¤ÏÉÔ²Äǽ¤«¤Ê¤È»×¤¤¤Þ¤¹¡£
    • ¤ä¤Ï¤ê¡¢ºÇ¿·¤Î¥½¥Õ¥È¥¦¥§¥¢¤Î¤ß¤ÇÂбþ¤¹¤ì¤Ð¤è¤¤´Ä¶­¤È¡¢¸åÊý¸ß´¹À­¤òɬÍפȤ¹¤ë´Ä¶­¤È¤Ç¶èÊ̤·¤Æ¿ä¾©»ö¹à¤ò½Ò¤Ù¤ë¤Î¤¬¤è¤¤¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£
    • RSA¸°¸ò´¹¤òÍÞÀ©(SHOULD)¤¹¤ë°ìÊý¤Ç¡¢SEED¡¢IDEA¡¢Camellia¤Ê¤É¸ÀµÚ¤µ¤ì¤Ê¤¤¥¢¥ë¥´¥ê¥º¥à¤â¿¤¯¡¢¤³¤ì¤é¤Î°·¤¦ºÝ¤Ëº®Í𤷤ޤ¹¡£
    • PFS¤äRC4¤ò¶¯Ä´¤·¤¹¤®¤Ç¡¢CBC¥â¡¼¥É¤Ï·Ú»ë¤µ¤ì¤Æ¤¤¤ë¡£
    • ¸°Ä¹¤ÎÏäϤ⤦¾¯¤·¥·¥ó¥×¥ë¤ËÅ»¤á¤é¤ì¤¿¤Î¤Ç¤Ï¤È»×¤¦¡£Ê¸¾Ï¤¬À°Íý¤µ¤ì¤Æ¤ª¤é¤º¤ï¤«¤ê¤Ë¤¤¡£
    • ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥×¥í¥È¥³¥ë(HTTP, SMTP, IMAP, IRC, XMPPÅù)¤Î¸ÀµÚ¤Ï¤¢¤Þ¤êÌòΩ¤¿¤Ê¤¤¡£
    • ¾ÚÌÀ½ñÍ×·ï¤ÏRECOMMENDED¤È¡¢¤«¤Ê¤ê´Ë¤á¡£

    RFC 7525¤ÎÎɤ«¤Ã¤¿ÅÀ

    °ìÊý¡¢¤³¤ÎRFC 7525¤ÎÎɤ«¤Ã¤¿ÅÀ¤Ï¤³¤ó¤Ê¤È¤³¤«¤Ê¤È¡¢¡¢¡¢

    • ²¿¤òº¬µò(Rationale)¤È¤·¤Æ¤½¤Î¤è¤¦¤ÊÀßÄê¤òÍ׵᤹¤ë¤Î¤«¤¬ÌÀ¤é¤«¤Ë¤Ê¤Ã¤Æ¤ª¤êÎɤ¤¡£
    • ¼ÂÁõ(implementation)¤ÈŸ³«(deployment)¤òʬ¤±¤Æ½ñ¤¤¤Æ¤¢¤ë¤Î¤Ï¤è¤¤¡£
    • Opportunistic Security¤Ë¤Ä¤¤¤Æ¡¢Ã±¤Ê¤ë¥Õ¥©¡¼¥ë¥Ð¥Ã¥¯¤è¤ê¤â´í¸±¤¬·üÇ°¤µ¤ì¤ë¤³¤È¤òÌÀ³Î¤Ë¤·¡¢RFC 7525¤ÎÂоݳ°¤È¤·¤¿¤Î¤ÏÎɤ¤¡£
    • ¾ÚÌÀ½ñ¼º¸ú¤Î²ÝÂ꤬À°Íý¤µ¤ì¤¿¤Î¤ÏÎɤ¤¡£
    • Æäˡ¢¥×¥í¥×¥é¥¤¥¨¥¿¥ê¤Ê¼º¸ú¸¡¾Ú¤¬¥¹¥±¡¼¥ë¤·¤Ê¤¤ÅÀ¤ò»ØŦ¤·¤¿¤Î¤ÏÎɤ¤¡£

    ¤ª¤ï¤ê¤Ë

    RFC 7525¤Ï¥Ù¥¹¥È¥«¥ì¥ó¥È¥×¥é¥¯¥Æ¥£¥¹¤È¸À¤¤¤Ê¤¬¤é¡¢¾¯¤·¥È¥¬¤Ã¤¿Í×µá»ö¹à¤Ë¤Ê¤Ã¤Æ¤¤¤Æ¡¢ºÇ¿·¤Î´Ä¶­¤À¤±¤Ç¤·¤«Æ°¤«¤Ê¤¤´¶¤¸¤Ç¤¹¡£InternetWeek¤Ç¤ªÏäò¤·¤¿»þ¤«¤é¡¢¾õ¶·¤â¤¤¤í¤¤¤íÊѤï¤Ã¤Æ¤¤¤Æ¡¢¸½»þÅÀ¤Ç¤Î°Å¹æ¥¹¥¤¡¼¥ÈÀßÄê¤Î¤ª¤¹¤¹¤á¤Ï¡¢¶á¡¹½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£¤¢¤È¡¢¥á¥¸¥ã¡¼¤Ê¥µ¡¼¥Ð¡¼¤Ç¤ÎÀßÄê¥Õ¥¡¥¤¥ë¤òºî¤ë¥¦¥§¥Ö¥Ä¡¼¥ë¤Ê¤É¤âºî¤Ã¤Æ¤·¤Þ¤¤¤¿¤¤¤È»×¤Ã¤Æ¤ë¤ó¤Ç¤¹¤¬¡¢¤Ê¤«¤Ê¤«Àè¤Ë¿Ê¤Þ¤Ê¤¤¡£

    Íè½µ¤Î¾ðÊ󥻥­¥å¥ê¥Æ¥£Expo¤Ç¤Ï¡¢IPA¤µ¤ó¤Î¥Ö¡¼¥¹¤Ç»ä¤â°Ñ°÷¤È¤·¤ÆºîÀ®¤Ë·È¤ï¤é¤»¤Æ夤¤¿¡ÖSSL/TLS°Å¹æÀßÄꥬ¥¤¥É¥é¥¤¥ó¡×¤ÎÀâÌÀ¤â¤¢¤Ã¤¿¤ê¤¹¤ë¤½¤¦¤Ç¤¹¡£¤³¤Î¥¬¥¤¥É¤Ï¼ç¤Ë¥µ¡¼¥Ð¡¼´ÉÍý¼Ô¸þ¤±¤Ë´ö¤Ä¤«¤Î¥±¡¼¥¹¤Ëʬ¤±¤Æ¥»¥­¥å¥ê¥Æ¥£Í×·ï¤òÄê¤á¤ÆÀßÄêÎã¤ò¼¨¤·¤¿¤â¤Î¤Ç¡¢RFC 7525 ¤è¤ê¤Ï¡¢¤è¤ê¶ñÂÎŪ¤Ë¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤¬¤ï¤«¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£ºÇ¸å¤Î°Ñ°÷²ñ¤¬½ª¤ï¤Ã¤¿¤¢¤È¤â¡¢¥ê¥¯¥¨¥¹¥È¤¬¤¢¤Ã¤¿¤Î¤ÇÄɲø¶¹Æ¤Ï¤¤¤í¤¤¤í½Ð¤µ¤»¤Æ夤¤¿¤ó¤Ç¤¹¤¬¡¢¤É¤¦¤âºÇ½ªÅª¤Ë¡¢Æä˰Ź楹¥¤¡¼¥È¤ÎÀßÄê¤Ë¤Ä¤¤¤Æ¡¢»×¤Ã¤¿Ä̤ê¤Î¤â¤Î¤Ë¤Ï¤Ê¤é¤Ê¤«¤Ã¤¿¤Ç¤¹¤Í¡£¤¤¤í¤ó¤Ê°ÕÌ£¤Ç¸å²ù¤·¤Æ¤¤¤Þ¤¹¡£

    º£Æü¤Ï¤³¤ÎÊÕ¤Ç

    À¤¤ÎÃæ¤ÎDSA¤äECDSA¸ø³«¸°¤Î¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÍøÍѾõ¶·

    Google¤ÎCertificate Transparency (²òÀâ [1] [2] [3]) ¤Î¥í¥°¥Ç¡¼¥¿¥Ù¡¼¥¹¤Ï¥Ñ¥Ö¥ê¥Ã¥¯¤ÊHTTPS¥µ¥¤¥È¤Ë´Ø¤¹¤ë¾ÚÌÀ½ñ¤Î¥í¥°¥Ç¡¼¥¿¥Ù¡¼¥¹¤Ê¤Î¤Ç¡¢¤¤¤í¤ó¤Ê¾ðÊ󤬼èÆÀ¤Ç¤­¤Þ¤¹¡£2015ǯ3·î27Æü»þÅÀ¤Ç¡¢6,949,166Ëç¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë´Ø¤¹¤ë¾ðÊ󤬳ÊǼ¤µ¤ì¤Æ¤ª¤ê¡¢ËèÆü1ËüËç°Ê¾åÁý¤¨Â³¤±¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤À¤±¤ÎËç¿ô¤Ç¤¹¤«¤é¡¢¤³¤³¿ôǯͭ¸ú¤ÊÁ´À¤³¦¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÏÌÖÍ夵¤ì¤Æ¤¤¤ë¤È¤·¤ÆÎɤ¤¤Î¤«¤Ê¤È»×¤¤¤Þ¤¹¡£°ÊÁ°¾Ò²ð¤·¤¿go.jp¥É¥á¥¤¥ó¤ÎHTTPS¥µ¥¤¥È¤ÎÄ´ºº¤â¤³¤Î¸ø³«¥Ç¡¼¥¿¤ò¤â¤È¤ËÄ´ºº¤·¤Þ¤·¤¿¡£

    ËÜÅö¤Ï¹Ö±é»ñÎÁ¤Ä¤¯¤é¤Ê¤¤¤È¥Þ¥¸¤Ç¥ä¥Ð¥¤´¶¤¸¤Ê¤ó¤Ç¤¹¤¬¡¢¸½¼ÂƨÈò¤·¤Æ¡¢¤Á¤ç¤Ã¤ÈÌõ¤¢¤Ã¤ÆDSA¤äECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÍøÍÑ¡¢È¯¹Ô¾õ¶·¤Ë¤Ä¤¤¤ÆÄ´¤Ù¤Æ¤ß¤¿¤Î¤Ç¤´Êó¹ð¤ò¡£¤½¤â¤½¤â¤ÏDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤¤¤ëDSS¤Î°Å¹æ¥¹¥¤¡¼¥È¤Ê¤ó¤ÆËÜÅö¤Ë»È¤¨¤ë¸ø³«¥µ¥¤¥È¤Ê¤ó¤«¤¢¤ó¤Î¤«¤Ã¤ÆÏäòÃΤꤿ¤«¤Ã¤¿¤ï¤±¤Ç¤¹¡£

    ¤Û¤È¤ó¤É¤Î¾ÚÌÀ½ñ¤ÏRSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ç¤¢¤ê¡¢SSL Pulse¤ÎÄ´ºº·ë²Ì¤ò¸«¤Æ¤âECDSA¤Î¾ÚÌÀ½ñ¤Ê¤É³ä¹ç¤«¤é¤·¤Æ¤Á¤ç¤Ó¤Ã¤È¤Ê¾õ¶·¤Ê¤ï¤±¤Ç¤¹¤¬¡¢¥í¥°¥Ç¡¼¥¿¥Ù¡¼¥¹¤Ç¸«¤Æ¤ß¤ë¤È¤³¤ó¤Ê´¶¤¸¤Ç¤¹¡£(°Ê²¼¡¢2015ǯ3·î27Æü»þÅÀ)

    ¾ÚÌÀ½ñËç¿ôÈæΨ(%)
    ÅÐÏ¿¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¥í¥°¥¨¥ó¥È¥ê)¤ÎËç¿ô6,949,166Ëç100%
    ¤¦¤ÁECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô398,841Ëç5.3%
    ¤¦¤ÁDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô100Ëç0.0014%

    Ç°¤Î¤¿¤áÊä­¤·¤È¤¯¤È¡¢DSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤È¤ÏSubjectPublicKeyInfo¥Õ¥£¡¼¥ë¥É¤ËDSA¸ø³«¸°¤¬³ÊǼ¤µ¤ì¤¿¾ÚÌÀ½ñ¤Î»ö¤ò°ÕÌ£¤·¡¢¤³¤ì¤òȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¸°¤Î¥¢¥ë¥´¥ê¥º¥à¤ÏRSA¤Ç¤âDSA¤Ç¤âECC(ECDSA)¤Ç¤â²¿¤Ç¤â¹½¤¤¤Þ¤»¤ó¡£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎSubjectPublicKeyInfo¤Î¥¢¥ë¥´¥ê¥º¥à¤Ë¤è¤ê¡¢SSL/TLS¤ÇÄÌ¿®¤·¤¿¾ì¹ç¤Î°Å¹æ¥¹¥¤¡¼¥È¤Îǧ¾Ú¤ä¸°¸ò´¹¤¬·è¤Þ¤ê¡¢DSA¸ø³«¸°¤Î¾ì¹ç¤Ë¤ÏDSS¤Î°Å¹æ¥¹¥¤¡¼¥È¤¬»ÈÍѤµ¤ì¤Þ¤¹¡£ECC(ECDSA)¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤âƱ¤¸¤è¤¦¤Ê´¶¤¸¤Ç¤¹¡£

    DSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ

    100Ëç¤Î¾ÚÌÀ½ñ¤Î¤¦¤Á¡¢¤µ¤é¤Ë¼ÂºÝ¤ËÀܳ¤·¤Æ¤ß¤Æ¸½ºß¤âÍøÍѲÄǽ¤Ê¥µ¥¤¥È¤òÄ´¤Ù¤Æ¤ß¤Þ¤·¤¿¡£

    ¾ÚÌÀ½ñËç¿ôÈæΨ(%)
    ÅÐÏ¿¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¥í¥°¥¨¥ó¥È¥ê)¤ÎËç¿ô6,949,166Ëç100%
    ¤¦¤ÁDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô100Ëç0.0014%
    ¤¦¤ÁÀܳ²Äǽ¤ÊDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥µ¥¤¥È110.00016%
    ¤¦¤Á¥·¥Þ¥ó¥Æ¥Ã¥¯°Ê³°¤ÎDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥µ¥¤¥È30.00004%
    ¤¤¤ä¡Á¡¢¤¿¤Ã¤¿11¥µ¥¤¥È¤Ç¤·¤¿¤è¡£¤½¤Î¤¦¤Á8¥µ¥¤¥È¤Ï¥É¥á¥¤¥ó̾¤«¤é ¥·¥Þ¥ó¥Æ¥Ã¥¯¤µ¤ó¤Î¥Æ¥¹¥È¥µ¥¤¥È¤Ç¤¢¤ë¤³¤È¤ÏÌÀ¤é¤«¤Ê¤Î¤Ç¡¢°ìÈ̤Υµ¥¤¥È¤Ï ¤¿¤Ã¤¿3¤Ä¤Ç¤·¤¿¡£DSA¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤¤¤ë¥Ö¥é¥ó¥É¤Ï¡¢ ¥·¥Þ¥ó¥Æ¥Ã¥¯¤µ¤ó°Ê³°¤Ï¡¢Thawte¡¢cacert.org¡¢ips CA¤À¤±¤Ç¤·¤¿¡£ ¥¯¥é¥¤¥¢¥ó¥È¤â¥µ¡¼¥Ð¡¼¤âDSA¸ø³«¸°SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤Ã¤¿ DSS°Å¹æ¥¹¥¤¡¼¥È¤ò»È¤¦²ÄǽÀ­¤ÏËؤÉ̵¤¤¤È¹Í¤¨¤Æ¤è¤¤¤ó¤¸¤ã¤Ê¤¤¤Ç¤¹¤«¤Í¡£

    ¤Á¤Ê¤ß¤Ë¡¢Firefox 36¡¢Chrome 41 ¤Ç¤³¤ÎDSA¾ÚÌÀ½ñ¤Î¥µ¥¤¥È¤Ø¥¢¥¯¥»¥¹¤·¤Æ¤ß¤ë¤È¡¢°Ê²¼¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¡¢°Å¹æ¥¹¥¤¡¼¥È¤È¤·¤Æ¤½¤â¤½¤â¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Ê¤«¤Ã¤¿¤ê¡¢¿®Íꤹ¤ë¥ë¡¼¥È¤ËÆþ¤Ã¤Æ¤¤¤Ê¤«¤Ã¤¿¤ê¤ÇÀܳ¤Ç¤­¤Þ¤»¤ó¡£OpenSSL¤Îs_client¥³¥Þ¥ó¥É¤ÇÀܳ¤¹¤ë¤·¤«¤Ê¤¤¤ï¤±¤Ç¤¹¡£
    dsa-firefox2
    dsa-chrome

    ECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ

    ECDSA¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤Ï5%¤È¤½¤ì¤Ê¤ê¤Ë¿ô¤Ï¤¢¤ë¤ï¤±¤Ç¤¹¤¬¡¢ ¤Á¤ç¤Ã¤È¥É¥á¥¤¥ó¤Î¥ê¥¹¥È¸«¤Æ¤ß¤ë¤ÈËؤÉcloudflaressl.com¥É¥á¥¤¥ó¤Ð¤Ã¤«¤ê¤Ê¤ó¤Ç¤¹¤è¡£

    ¾ÚÌÀ½ñËç¿ôÈæΨ(%)
    ECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô398,841Ëç100%
    ¤¦¤Ácloudflaressl.com¤ÎECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô398,262Ëç99.85%
    ¤¦¤Ácloudflaressl.com°Ê³°¤ÎECDSA¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎËç¿ô569Ëç0.15%
    狼¤¬¡¢¡ÖÁ´À¤³¦¤Ç¿ô¥Ñ¡¼¥»¥ó¥È¤âECDSA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Æ¤Æ½ãÁý¤·¤Æ¤¤¤Æ¡¢ECDSA¾ÚÌÀ½ñ¤ÏÃÊ¡¹Î®¹Ô¤ê¤Ä¤Ä¤¢¤ë¤ó¤Ç¤¹¤è¡×¤Ê¤ó¤Æ¶µ¤¨¤Æ¤¯¤ì¤¿¿Í¤¬¤¤¤¿¤è¤¦¤Êµ¤¤â¤¹¤ë¤ó¤Ç¤¹¤¬¡¢cloudflare°Ê³°¤Ç¤ÏÁ´À¤³¦¤Ç¤¿¤Ã¤¿569Ë礷¤«Çä¤ì¤Æ¤Ê¤¤¤ó¤¸¤ã¤Ê¤¤¤Ç¤¹¤«¡ª¡ª¡ªECDSA¾ÚÌÀ½ñ¤Ïcloudflare¤µ¤ó¤¬»Ù¤¨¤Æ¤¿¤ó¤Ç¤¹¤Í¤§¡£¤·¤ß¤¸¤ß¡£

    ¤¢¡¢¤½¤¦¤½¤¦Google¤Ç¤Ï*.google.com¤È¤«ECC¤Î¸ø³«¸°¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤¤¤ÆSSL/TLS¤ÇÀܳ¤¹¤ë¤ÈECDHE_ECDSA¤Î°Å¹æ¥¹¥¤¡¼¥È¤Ë¤Ê¤ë¤ó¤Ç¤¹¤¬¡¢¤½¤Î¾ÚÌÀ½ñ¤Îȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¸°¤ÏRSA¤ÇSHA1withRSA¤Ç½ð̾¤·¤Æ¤ë¤ó¤Ç¤¹¤è¤Í¡£¡ÖChrome¤ÇSHA2°Ü¹Ô¤ò¤»¤«¤»¤ë³ä¤Ë¤Ï¡¢¤ªÁ°¤ÏSHA1¤Ê¤ó¤«¤¤¤Ã¤Ã¤Ä¡ª¡ª¡×¤ß¤¿¤¤¤Ê¡£

    ¤ª¤ï¤ê¤Ë

    ¤È¤¤¤¦¤ï¤±¤Ç¡¢Á´À¤³¦¤Ç¤É¤ì¤¯¤é¤¤DSA¾ÚÌÀ½ñ¡¢ECDSA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Æ¤¤¤ë¤Î¤«¤ò¸«¤Æ¤ß¤Þ¤·¤¿¡£·ë¹½¶½Ì£¿¼¤¤»ö¼Â¤â¤ï¤«¤Ã¤Æ¸Ä¿ÍŪ¤Ë¤Ï¤è¤«¤Ã¤¿¤«¤Ê¤È»×¤¤¤Þ¤¹¡£¥ª¥ì¤Ï¤Þ¤ÀËܵ¤½Ð¤·¤Æ¤Ê¤¤¤À¤±¡£ÌÀÆü¤«¤é¹Ö±é»ñÎÁºîÀ®´èÄ¥¤ê¤Þ¤Ã¤¹orz Certificate Transparency¤Ë¤Ä¤¤¤Æ¤Ï¤¤¤í¤¤¤í¿¼¤¯Æͤùþ¤ó¤ÇÄ´ºº¤·¤Æ¤ª¤ê¡¢¤É¤³¤«¤ÇÅǤ­½Ð¤·¤¿¤¤¤ó¤Ç¤¹¤¬¡¢»¨Ì³¤ËÄɤï¤ì¤Ê¤«¤Ê¤«¥Á¥ã¥ó¥¹¤¬Ìµ¤¤¤Ê¤¡¡£

    ºÇ¿·µ­»ö
    Categories
    Archives
    Twitter
    µ­»öGoogle¸¡º÷

    ËÜ¥Ö¥í¥°Æâ¤òGoogle¸¡º÷
    Yahoo!¥¢¥¯¥»¥¹²òÀÏ
    Travel Advisor
    µ­»ö¸¡º÷
    QR¥³¡¼¥É
    QR¥³¡¼¥É
    • ¥é¥¤¥Ö¥É¥¢¥Ö¥í¥°