¼«ÂÄÍî¤Êµ»½Ñ¼Ô¤ÎÆüµ­

´ðËܤ϶ô¤Ã¤Æ¤ë¤«°û¤ó¤Ç¤ë¤«¤Ç¤¹¤¬¡¢¤è¤¯¼ñÌ£¤Ç¥«¥é¥ª¥±¡¦PKI¡¦½ð̾¡¦Ç§¾Ú¡¦¥×¥í¥°¥é¥ß¥ó¥°¡¦¾ðÊ󥻥­¥å¥ê¥Æ¥£¤ò¤ä¤Ã¤Æ¤¤¤Þ¤¹¡£Î¹¹¥¤­¡£¥Æ¥ì¥Ó¹¥¤­¤Ç·ÝǽÄÌ

TLS

Mozilla Firefox¤ÎCRLite¤ÇÍ·¤Ö (moz_crlite_query¤ÎÏÃ)

OCSP¤Ë¤è¤ë¼º¸ú¸¡¾Ú¤Ï¡¢ÀèÆü¤ÎApple macOS Big Burr¤Î¥½¥Õ¥È¥¦¥§¥¢¥³¡¼¥É½ð̾¤ÎÂçÎ̤θ¡¾Ú¤Ç¡¢OCSP¥ì¥¹¥Ý¥ó¥À¹âÉé²Ù¤Ë¤è¤ë¼º¸ú¸¡¾Ú¤Î¾ã³²¤¬½Ð¤¿¤Î¤Ç¤Ï¤È¿ä¬¤µ¤ì¤ë¤è¤¦¤Ë¡¢ÄÌ¿®¾ã³²¡¢¥µ¡¼¥Ð¡¼¾ã³²¤Ê¤É¤ÇOCSP±þÅú¤¬¼è¤ì¤Ê¤¤¤Ê¤É¤Î¤³¤È¤¬¤¢¤Ã¤Æ¡¢ºÇ¶áÈó¾ï¤ËɾȽ¤¬°­¤¤¤Ç¤¹¡£¤½¤Î¤¿¤á¡¢¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤ÎÀ¤³¦¤Ç¤Ï¡¢Chrome¤Ç¤Ï CRLSet¡¢Firefox ¤Ç¤ÏCRLite¤È¤¤¤¦Ê̤μº¸ú¸¡¾ÚÊýË¡¤ò»È¤ª¤¦¤È¤·¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¡£Chrome¤ÎCRLSet¤Ë¤Ä¤¤¤Æ¤Ï2013ǯ2·î¤Ë¡¢CRLSet¤ÇËÜÅö¤ËÂç¾æÉפʤó¤À¤í¤¦¤«¤È»×¤¤¡Ö¾­ÍèGoogle Chrome¤¬SSL¾ÚÌÀ½ñ¤Î¥ª¥ó¥é¥¤¥ó¼º¸ú¸¡¾Ú¤ò¤ä¤á¤ÆÆȼ«¤Î¼º¸ú¾ðÊó¥×¥Ã¥·¥å¤ò¹Ô¤¦¤È¤¤¤¦º¤¤Ã¤¿ÏáפȤ¤¤¦¥Ö¥í¥°¥¨¥ó¥È¥ê¤ò½ñ¤«¤»¤Æ¤¤¤¿¤À¤­¤Þ¤·¤¿¡£(¤¬¡¢¤½¤Î¸å¡¢Chrome CRLSet¤¬¤É¤¦¤Ê¤Ã¤Æ¤¤¤ë¤Î¤«¤è¤¯¤ï¤«¤Ã¤Æ¤¤¤Þ¤»¤ó¡£)

mushimegane_boy ¤Ç¡¢Firefox CRLite¤Ë¤Ä¤¤¤Æ¤Ç¤¹¤¬¡¢ ÀèÆü¡¢¡ÖQuerying CRLite for WebPKI Revocations¡×(2020.11.26)¤È¤¤¤¦µ­»ö¤¬¸ø³«¤µ¤ì¤Þ¤·¤¿¡£Firefox Nightly ¥Ð¡¼¥¸¥ç¥ó¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ëCRLite¼º¸ú¸¡¾Ú¤Îµ¡Ç½¤ò³Îǧ¤¹¤ë¤¿¤á¤ÎPython¤Î¥Ä¡¼¥ë moz_crlite_query ¤¬¹ç¤ï¤»¤Æ¸ø³«¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Firefox Nightly 85.0 ¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¤È¤¤¤¦¤³¤È¤Ê¤Î¤Ç¡¢2021ǯ1·î26Æü¥ê¥ê¡¼¥¹Í½Äê¤ÎFirefox 85Àµ¼°ÈǤǤÏCRLite¼º¸ú¸¡¾Ú¤¬»È¤ï¤ì¤Æ¤¤¤ë¤È¤¤¤¦¤³¤È¤Ê¤Î¤Ç¤·¤ç¤¦¡£(´Ö°ã¤Ã¤Æ¤¤¤¿¤é¤´¤á¤ó¤Ê¤µ¤¤¡£) ¤ª¤ª¡¢Firefox¤ÎCRLite¤¬¤¤¤è¤¤¤è¼Â±¿ÍѤµ¤ì¤ë¤ó¤À¤Ê¤¡¡¢¡¢¡¢¤Èwktk¤·¤Ê¤¬¤é¡¢º£Æü¤Ï¤³¤Î moz_crlite_query ¤ò»î¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

¥¤¥ó¥¹¥È¡¼¥ë

Python 3.7 °Ê¾å¤Î´Ä¶­¤Ç

% pip install moz_crlite_query
¤È¤¹¤ì¤Ð¥¤¥ó¥¹¥È¡¼¥ë¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£°Í¸¤¹¤ëPython¥â¥¸¥å¡¼¥ë¤ò¥Ó¥ë¥É¤¹¤ë¤Î¤Ëgcc¡¢g++¤¬É¬Íפˤʤë¤ß¤¿¤¤¤Ç¤¹¡£

»ä¤ÎMac Book Air¤Ï¸Å¤¯¤«¤é»È¤Ã¤Æ¤¤¤ÆPython´Ä¶­¤¬±ø¤ì¤Æ¤¤¤Æ¡¢OS¤ÇÄ󶡤µ¤ì¤ëPython2.7¡¢Python3?¡¢macports¤ÎPython2¡¢Python3¤Ê¤É¤¢¤ê¡¢ÀÚ¤êÂؤ¨¤¬¤¦¤Þ¤¯¤¤¤«¤º¡¢¥¤¥ó¥¹¥È¡¼¥ë¤Ç¤È¤Æ¤â¥Ï¥Þ¤ê¤Þ¤·¤¿¡£ ¸Å¤¤Python setuptools¤À¤È¡¢2.7Åù¡¢¥Ð¡¼¥¸¥ç¥ó¤¬¸Å¤¯¤Æ¤â¥¤¥ó¥¹¥È¡¼¥ë¥¨¥é¡¼¤Ë¤Ê¤é¤Ê¤¤¤è¤¦¤Ç¡¢¤³¤ì¤Ç¥Ï¥Þ¤ê¤Þ¤·¤¿¡£ ºÇ½é¤«¤épyenv»È¤Ã¤È¤­¤ã¤è¤«¤Ã¤¿¤ó¤À¤è¤Ê¤¡¡¢¡¢¡¢¡£pyenv¤ÇPython 3.9¤òÆþ¤ìľ¤·¤Æ¡¢Windows 10 WSL2¤Ç¥¤¥ó¥¹¥È¡¼¥ë¤·¤¿moz_crlite_query¥¹¥¯¥ê¥×¥È¤ò¥³¥Ô¡¼¤·Ìᤷ¤Æ¤ä¤Ã¤ÈÆ°¤¯¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£pyenv¤Ç¥¤¥ó¥¹¥È¡¼¥ë¤·¤¿¤È¤­moz_crlite_query¥¹¥¯¥ê¥×¥È¤Ï¤É¤³¤Ë¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤ë¤ó¤À¡©¡©¡©

Windows 10 WSL2¤ÎUbuntu¤ËÆþ¤ì¤ë¤Î¤Ï¡¢¤½¤ì¤Û¤ÉÂçÊѤǤϤ¢¤ê¤Þ¤»¤ó¤Ç¤·¤¿¡£apt¥³¥Þ¥ó¥É¤Ç­¤ê¤Æ¤Ê¤«¤Ã¤¿¡¢gcc¡¢g++¡¢python3-dev¤òÆþ¤ì¤Æpip¤Ç¥¤¥ó¥¹¥È¡¼¥ë¤Ç¤­¤Þ¤·¤¿¡£

¥µ¥¤¥È¤Ç¾Ò²ð¤µ¤ì¤Æ¤ë¼Â¹ÔÎã¤Ï¡¢¤¤¤Á¤¤¤ÁPEM¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë»ý¤Ã¤Æ¤­¤Æ¤Þ¤¹¤¬¡¢¡Ömoz_crlite_query --hosts Ä´¤Ù¤¿¤¤TLS¥µ¥¤¥ÈFQDN¡×¤ÇÄ´¤Ù¤é¤ì¤Þ¤¹¡£Î㤨¤ÐMac¤Çwww.nist.gov¤òÄ´¤Ù¤ì¤Ð¤³¤ó¤Ê´¶¤¸¡¢
crlite-mac
Windows WSL¤Çec.europa.eu¤òÄ´¤Ù¤ì¤Ð¤³¤ó¤Ê´¶¤¸¤Ç¼Â¹Ô¤Ç¤­¤Þ¤¹¡£
crlite-win
(³¨Ê¸»ú»È¤¦¤ó¤¸¤ã¤Í¡Á¡Á¡ª¡ª¡ª)
PEM¾ÚÌÀ½ñ¤ò»ØÄꤷ¤Æ¡Ömoz_crlite_query PEM¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¡×¤Ç¤âÄ´¤Ù¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

¤Ç¡¢¤Á¤ç¤Ã¤È¸«¤Æ¤ß¤ë¤¾¡¢¤È

CRLite¤Î¥Ç¡¼¥¿¥Ù¡¼¥¹¤Ï°ìÆü¤Ë4²ó¹¹¿·¤·¤ÆÇÛÉÛ¤µ¤ì¤ë¤½¤¦¤Ç¡¢moz_crlite_query¥³¥Þ¥ó¥É¤Ï¡¢¥Ç¡¼¥¿¥Ù¡¼¥¹¤ò³Îǧ¤·¤Æ¿·¤·¤¤¤Î¤¬¤¢¤ì¤Ð~/.crlite_db¤Ë¥Ç¡¼¥¿¥Ù¡¼¥¹°ì¼°¤ò¥À¥¦¥ó¥í¡¼¥É¤·¤Æ»ÈÍѤ·¤Þ¤¹¡£¥Õ¥¡¥¤¥ë¤Î°ìÍ÷¤Ï¤³¤ó¤Ê´¶¤¸¡£

2020-11-24T00:08:12+00:00Z-full 2020-11-26T18:08:13+00:00Z-diff 2020-11-24T06:08:12+00:00Z-diff 2020-11-27T00:08:16+00:00Z-diff 2020-11-24T12:08:14+00:00Z-diff 2020-11-27T06:08:13+00:00Z-diff 2020-11-24T18:08:15+00:00Z-diff 2020-11-27T12:08:20+00:00Z-diff 2020-11-25T00:08:23+00:00Z-diff 2020-11-27T18:08:11+00:00Z-diff 2020-11-25T06:08:05+00:00Z-diff 2020-11-28T00:08:14+00:00Z-diff 2020-11-25T12:08:22+00:00Z-diff 2020-11-28T06:08:12+00:00Z-diff 2020-11-25T18:08:11+00:00Z-diff 2020-11-28T12:08:12+00:00Z-diff 2020-11-26T00:08:11+00:00Z-diff 2020-11-28T18:08:21+00:00Z-diff 2020-11-26T06:08:17+00:00Z-diff intermediates.sqlite 2020-11-26T12:08:14+00:00Z-diff
¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¤Èɽ¼¨¤µ¤ì¤Æ¤¤¤ëÄ̤ꡢ2457¤Î¥Ñ¥Ö¥ê¥Ã¥¯¤ÊÃæ´ÖCA¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ç¡¢FAQ¤Ç¤Ï¡Ö¤¹¤Ù¤Æ¤ÎCA¡×¤È¤«¸À¤Ã¤Á¤ã¤Ã¤Æ¤Þ¤¹¤¬¡¢¤½¤¦¤¤¤¦¤ï¤±¤Ç¤Ï¤Ê¤µ¤½¤¦¡£¥¨¥ó¥É¥¨¥ó¥Æ¥£¥Æ¥£¤¬SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤¤¤ë¤è¤¦¤ÊÃæ´ÖCA¤Ï³µ¤ÍÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹ÔÍѤǤʤ¤CA¤ä¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Î¸¡¾Ú¤Ë»È¤¦CA¤ÏÅÐÏ¿¤µ¤ì¤Æ¤¤¤Ê¤¤¤è¤¦¤Ç¤¹¡£ÅÐÏ¿¤µ¤ì¤Æ¤Ê¤¤Ãæ´ÖCA¤ËÂФ·¤Æ¥¯¥¨¥ê¤ò¤«¤±¤ë¤È¡ÖEnrolled in CRLite: ✕¡×¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ìÅÐÏ¿¤µ¤ì¤Æ¤Ê¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£(³¨Ê¸»ú¥ä¥á¥íw)

¡Öintermediates.sqlite¡×¤¬Ãæ´ÖCA¤ÎSQLite¥Ç¡¼¥¿¥Ù¡¼¥¹¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢Ãæ¤Ë¤Ï¥Æ¡¼¥Ö¥ë¤Ï°ì¤Ä¤·¤«¤Ê¤¯¡¢¤³¤ó¤Ê´¶¤¸¤Ç¥¹¥­¡¼¥ÞÄêµÁ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£¤Ê¤ó¤È¤Ê¤¯ÁÛÁü¤Ä¤­¤Þ¤¹¤Í¡£

CREATE TABLE intermediates ( id TEXT PRIMARY KEY, last_modified TEXT, subject TEXT, subjectDN BLOB, derHash BLOB, pubKeyHash BLOB, crlite_enrolled BOOLEAN, -- crlite_enrolled = FALSE¤ÊÃæ´ÖCA¤Ï1656¤Ê¤Î¤Ç¡¢Âбþ¤·¤Æ¤ë¤Î¤Ï801 CA? whitelist BOOLEAN); -- whitelist = TRUE¤ÊÃæ´ÖCA¤ÏÅÐÏ¿¤µ¤ì¤Æ¤Ê¤«¤Ã¤¿

¤È¤Þ¤¡¡¢¤³¤ó¤Ê´¶¤¸¤Ê¤ó¤Ç¤¹¤¬¡¢CRLSet¤Î¤È¤­¤Ë½ñ¤¤¤¿µ¿Ìä¤Ïʧ¿¡¤µ¤ì¤º¡¢ËÜÅö¤Ë¿®ÍѤǤ­¤ë¤Î¤«¥â¥ä¥â¥ä¤·¤Þ¤¹¤Í¡Á¡Á¡Á¡£¤Ê¤ó¤«¥ä¥Ù¡¼¡¼¡¼¤Î¸«¤Ä¤±¤Á¤ã¤Ã¤¿µ¤¤â¤¹¤ë¤·¡£¥Ö¥é¥¦¥¶¤Ç¤É¤¦»È¤ï¤ì¤Æ¤¤¤ë¤Î¤«¸«¤Ê¤¤¤È²¿¤È¤â¤¤¤¨¤Ê¤¤¤Ç¤¹¤¬¡¢¡¢¡¢¡¢

º£Æü¤Ï¤³¤ó¤Ê¤È¤³¤Ç¡£´Ä¶­¤â±ø¤ì¤Æ¤­¤¿¤·¥Ð¥Ã¥Æ¥ê¡¼¤â¹ó¤¤¾õ¶·¤Ê¤Î¤ÇM1 Mac Book AirÇ㤦¤«¤Ê¤¡¡¢¡¢¡¢

(¾®¥Í¥¿) Chrome 60¤Ç¾ÚÌÀ½ñ¤òɽ¼¨¤µ¤»¤ë¥Õ¥é¥°ÀßÄê

Chrome 56¤«¤éGoogle¤Î¡ÖÁǿͤϤ¹¤Ã¤³¤ó¤Ç¤í¡×UI/UX¥Ý¥ê¥·¡¼¤Ë¤è¤êHTTPS¤ÇÀܳ¤·¤¿ºÝ¤Ë»ÈÍѤ·¤Æ¤¤¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Îɽ¼¨¤¬¸°¥¢¥¤¥³¥ó¤«¤é´Êñ¤Ë¤Ç¤­¤Ê¤¯¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£¾ÚÌÀ½ñÂç¹¥¤­¤Ã»Ò¤Ë¤Ï¤Ê¤ó¤È¤â¿É¤¤»ÅÂǤÁ¤Ç¤·¤¿¡£³«È¯¥Ä¡¼¥ë¤«¤é¤Ï¾ÚÌÀ½ñ¤¬É½¼¨¤Ç¤­¤ë¤Î¤Ç¡¢¥á¥Ë¥å¡¼¤òé¤Ã¤ÆÁàºî¤¹¤ë¤«¡¢¥·¥ç¡¼¥È¥«¥Ã¥È¥­¡¼¤òÁÇ¿¶¤ê100²ó¤·¤Æ¤¤¤¿Êý¤â¿¤¤¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

Windows: Ctrl + Shift + I or F12
Mac: ⌘ + Opt + I

º£Æü¤Ï¡¢¤ä¤Ã¤ÈChrome 60¤«¤é¥Õ¥é¥°ÀßÄê¤Ç¾ÚÌÀ½ñ¤¬´Êñ¤Ëɽ¼¨¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤Ã¤¿¤Î¤Ç¡¢º£Æü¤Ï¤½¤ÎÀßÄê¤Ë¤Ä¤¤¤Æ¾Ò²ð¤·¤Þ¤¹¡£

²¿¤âÀßÄꤷ¤Æ¤¤¤Ê¤¤¤È¡¢HTTPS¥µ¥¤¥È¤ò¸«¤Æ¤¤¤ëºÝ¤Î¡¢¸°¥¢¥¤¥³¥ó¤ò¥¯¥ê¥Ã¥¯¤·¤Æ¸«¤é¤ì¤ë¥á¥Ë¥å¡¼¤Ï¤³¤ó¤Ê´¶¤¸¡£
before
¤½¤³¤Ç¡¢¥¢¥É¥ì¥¹¥Ð¡¼¤Ç°Ê²¼¤Î¤è¤¦¤ËÆþÎϤ·¤Þ¤¹¡£

chrome://flags/#show-cert-link
¤¹¤ë¤È¡¢¤³¤Î¤è¤¦¤Ê¥Õ¥é¥°ÀßÄ꤬ɽ¼¨¤µ¤ì¤Þ¤¹¡£
flag
¡ÖÍ­¸ú¤Ë¤¹¤ë¡×¤ò¥¯¥ê¥Ã¥¯¤·¡¢»Ø¼¨¤Ë½¾¤Ã¤Æ¥Ö¥é¥¦¥¶¤òºÆµ¯Æ°¤·¤Þ¤¹¡£¤¹¤ë¤È¡¢HTTPS¥µ¥¤¥È¤òɽ¼¨¤·¤¿¾ì¹ç¤³¤Î¤è¤¦¤Ë
after
¡Ö¾ÚÌÀ½ñ¡¢Í­¸ú¡×¤È¤¤¤¦¥ê¥ó¥¯¤¬É½¼¨¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¥¯¥ê¥Ã¥¯¤¹¤ë¤È¾ÚÌÀ½ñ¤¬É½¼¨¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£¤¤¤ä¡Á¡Á¡¢¤è¤«¤Ã¤¿¡¢¤è¤«¤Ã¤¿¡£
52

HPKP(HTTP Public Key Pinning)¸ø³«¸°¥Ô¥Ë¥ó¥°¤Ë¤Ä¤¤¤Æ¹Í¤¨¤ë

¤â¤¯¤¸
1. ¤Ï¤¸¤á¤Ë
2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê
3. HPKP¤Î»ÅÁȤß
4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡
¡¡4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡
¡¡4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò
¡¡4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡
¡¡4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¾Á°¤Î¥¤¥±¤Æ¤Ê¤µ
¡¡4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ
¡¡4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤
¡¡4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë
5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«
6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«
7. ¤ª¤ï¤ê¤Ë
8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯
9. Äɵ­
¡¡9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·
¡¡9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

1. ¤Ï¤¸¤á¤Ë

HPKP¤È¤ÏHTTP Public Key Pinning¤Îά¤Ç¡¢RFC 7469 Public Key Pinning Extension for HTTP¤Çµ¬Äꤵ¤ì¤Æ¤ª¤ê¡¢ ¥¦¥§¥Ö¥µ¥¤¥È¤Î¥ª¡¼¥Ê¡¼¤¬¡¢¥Ë¥»¤Î¥µ¥¤¥È¤Ç°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤Ê¤¤¤è¤¦¤ËÊݸ¤ë¤¿¤á¤Î»ÅÁȤߤǤ¹¡£

ÆüËܸì²òÀâ¤Ï¾¯¤Ê¤¤¤Ç¤¹¤¬¡¢·É°¦¤¹¤ë jovi0608¤µ¤ó¤Îµ­»ö¤äJxck¤µ¤ó¤Îµ­»ö¤Ê¤É¤Ç¤â²òÀ⤵¤ì¤Æ¤¤¤Þ¤¹¡£

»ä¤â3ǯ¤Á¤ç¤¤Á°¡¢IPA¤Î¥¬¥¤¥É¤ò½ñ¤¤¤Æ¤¤¤¿Á°¤¢¤¿¤ê¤«¤é¡¢HPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¡¢²¿¤«¥Ö¥í¥°Åù¤Ç½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤Î¤Ç¤¹¤¬¡¢¤Ê¤ó¤«Æüº¢¤Î¥Ø¥ó¤Ê¤³¤È¤ËË»»¦¤µ¤ì¤Æ¡¢¤³¤ì¤Þ¤Ç¤Þ¤È¤á¤Æ½ñ¤¯¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£(¤Ê¤ó¤«½ñ¤³¤¦¤È»×¤Ã¤Æ¤¿¤éjovi¤µ¤ó¤Î¤¬½Ð¤Á¤ã¤Ã¤Æ¡¢¤Þ¤¡¤¤¤¤¤«¤È»×¤Ã¤Á¤ã¤Ã¤¿¤Ã¤Æ¤¤¤¦¤Î¤â¤¢¤ê¤Þ¤¹w) IPA¤Î¥¬¥¤¥É¤Î»þ¤â½ñ¤«¤»¤Æ¤â¤é¤ª¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢¤Ê¤ó¤À¤«Âç¿Í¤Î»ö¾ð¤ÇÄɲ䵤»¤Æ¤â¤é¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£¤È¤Û¤Û¡£

º£²ó¤Ï¡¢HPKP¤È¤Ï²¿¤«¤È¤¤¤Ã¤¿´ðËÜŪ¤Ê¤³¤È¤Ï¡¢Â¾¤ÎÊý¤Î¥Ö¥í¥°¤Ë¾ù¤ë¤È¤·¤Æ¡¢HPKP¤Î¸½¾õ¤äHPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¥Õ¥©¡¼¥«¥¹¤·¤Æ½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£Ä¹¤¯¤Ê¤ê¤½¤¦¤Ç¤¹¤¬¡¢¤´¤á¤ó¤Ê¤µ¤¤¤Í¡£

·ëÏÀ¤«¤é¸À¤¨¤Ð¡¢ËÜÈÖ¥µ¥¤¥È¤Ç°Â°×¤ËHPKP¤ò»È¤¦¤Î¤Ï¤ä¤á¤¿Êý¤¬¤¤¤¤¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤½¤ì¤Ï¡¢HPKP¤Î»ÅÍͼ«ÂΤ¬±¿ÍѤò¤·¤Ã¤«¤ê¹Í¤¨¤ÆÀ߷פµ¤ì¤Æ¤ª¤é¤º¡¢°ìÈÌŪ¤Ê¥µ¥¤¥È¤Ç¤ÏÂ礷¤¿¥»¥­¥å¥ê¥Æ¥£¾å¤Î¸ú²Ì¤¬Ìµ¤¤³ä¤Ë¡¢Ä¹´ü¤Î±¿ÍѤǥµ¡¼¥Ó¥¹¤òÄ󶡤Ǥ­¤Ê¤¯¤Ê¤ë´ü´Ö¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤¬¹â¤¹¤®¤ë¤·¡¢¾ÚÌÀ½ñ¤Î¥³¥¹¥È¤â;·×¤Ë¤«¤«¤ë¤«¤é¤Ç¤¹¡£

¤ª¤½¤é¤¯¡¢HPKP¤Î±¿ÍѤˤĤ¤¤Æ¿¼¤¯Æͤùþ¤ó¤Ç¤«¤¤¤¿¡¢À¤³¦¤Ç¤Ï½é¤á¤Æ¤Î²òÀâ»ñÎÁ¤«¤Ê¤È»×¤¤¤Þ¤¹¡£¤´¾ÐǼ¤¯¤À¤µ¤¤w

2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê

2011ǯº¢¤«¤é¡¢Ç§¾Ú¶É¤òÂоݤˤ·¤¿¥µ¥¤¥Ð¡¼¹¶·â¤ä¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¤Ê¤É¤Ç¡¢¹¶·â¤ËÍøÍѤ·¤ä¤¹¤¤Google¤äFacebook¤È¤¤¤Ã¤¿Í­Ì¾¥µ¥¤¥È¸þ¤±¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ(*.google.comÅù)¤ò¼èÆÀ¤µ¤ì¤Æ¤·¤Þ¤¦¤È¤¤¤¦»ö·ï¤¬Áý¤¨¤Æ¤­¤Þ¤·¤¿¡£Google¤òÅܤ餻¤Á¤ã¤Ã¤¿¤Î¤Ï2011ǯ¤Î¥ª¥é¥ó¥À¤Îǧ¾Ú¶ÉDigiNotar¤¬ÉÔÀµ¿¯Æþ¤ò¼õ¤±¡¢*.google.com¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¡¢¥¤¥é¥ó¤Î¥×¥í¥Ð¥¤¥À¤ÎÅðÄ°¤ä¹¶·â¤Ë»È¤ï¤ì¤¿¤È¤¤¤¦»ö·ï¤¬¤¢¤ê¤Þ¤·¤¿¡£
hpkp-digi
¤³¤Î¤è¤¦¤Ê»ö·ï¤òËɤ°¤¿¤á¤Ë¤Ï¡¢¥¦¥§¥Ö¥µ¥¤¥È¤ËÂФ·¤Æ¡¢¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤¿¾ì¹ç¤Ë¡¢·Ù¹ð¤òȯ¤¹¤ë»ÅÁȤߤ¬É¬ÍפǤ¹¡£¤½¤³¤Ç³«È¯¤µ¤ì¤¿¤Î¤¬¡¢HPKP¤Ç¤¹¡£HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Î°ìÃפò³Îǧ¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤¿¾ÚÌÀ½ñ¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
hpkp-hpkp1
jovi¤µ¤ó¤Î¥Ö¥í¥°¤Î1¾Ï¤ÇÇطʤȻÅÁȤߤò¤ï¤«¤ê¤ä¤¹¤¯²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤Á¤é¤â¤´Í÷失¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

3. HPKP¤Î»ÅÁȤß

HPKP¤Î¼ÂÁõÊýË¡¤Ë¤Ï2¤Ä¤ÎÊýË¡¤¬¤¢¤ê¤Þ¤¹¡£

  • 1) Google¡¢Facebook¡¢Twitter¤Ê¤É¤Îͭ̾¥µ¥¤¥È¸þ¤±¤Î¡¢Chrome¡¢Firefox¤Ê¤É¥Ö¥é¥¦¥¶¤ËÁȤ߹þ¤Þ¤ì¤¿¥Ô¥ó¤Î¥ê¥¹¥È(Preloaded Known Pinned Host List)¤È¾È¹ç¤¹¤ëÊýË¡
  • 2) HTTPS¤ÇÄÌ¿®¤¹¤ëºÝ¤Ë¡¢¥µ¡¼¥Ð¡¼¤«¤é¥Ô¥ó¾ðÊó¤ÎHTTP¥Ø¥Ã¥À¤ò¼èÆÀ¤·¡¢¤½¤ì¤ò¥Ö¥é¥¦¥¶¤ËÊݴɤ·¤Æ¤ª¤­¡¢°Ê¹ß¤ÎÄÌ¿®¤Ç¾È¹ç¤Ë»È¤¦ÊýË¡
1) ¤ÎÊýË¡¤Ï¡¢¥Ö¥é¥¦¥¶¤òºÇ¿·¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Ê¤é¤Ð²¿¤âÀßÄꤷ¤Ê¤¯¤Æ¤â¡¢Í­Ì¾¤Ê¥µ¥¤¥È¤Ë¤Ä¤¤¤Æ¤ÏHPKP¤ò»È¤Ã¤Æ°ÂÁ´¤ËÀܳ¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£º£²ó¤Îµ­»ö¤ÇµÄÏÀ¤·¤¿¤¤¤Î¤Ï2)¤Î¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤¬ÀßÄꤹ¤ë¾ì¹ç¤Ë¤Ä¤¤¤Æ¤Ê¤Î¤Ç¡¢2)¤Î»ÅÁȤߤˤĤ¤¤ÆÀâÌÀ¤·¤Þ¤¹¡£
hpkp-sethead
¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËÉÔÀµ¤Ê¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ËÀܳ¤µ¤»¤Ê¤¤¤¿¤á¤ÎHPKP HTTP¥Ø¥Ã¥À¤òÀßÄꤹ¤ë¤Î¤Ç¤¹¤¬¡¢¤³¤ì¤Ï¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄê¤Ç»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¤«¤éSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Þ¤Ç¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¡£HTTP¥Ø¥Ã¥À¤È¤½¤ÎÃͤνñ¼°¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
Public-Key-Pins: \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤«¤ÎSHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤SHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡[pin-sha256="¤½¤Î¾¥Ï¥Ã¥·¥åÃÍ1"; ...; ] \ ¡¡¡¡max-age=¥Ö¥é¥¦¥¶¤Ë¤³¤ÎHPKP¥Ø¥Ã¥À¤¬Êݴɤµ¤ì¤ëÉÿô; \ ¡¡¡¡[includeSubDomain;] \¡¡¡¡¡¡¡¡¥µ¥Ö¥É¥á¥¤¥ó(example.com¤Ê¤ésub.example.com)¤âHPKP¤ÎÂоݤˤ¹¤ë¤« ¡¡¡¡[report-uri="JSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤¬POST¤µ¤ì¤ëURL"; ] [...]¤Ï¥ª¥×¥·¥ç¥ó
  • pin-sha256¤Ï¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¤¬¡¢¤½¤ÎÀßÄêÊýË¡¤ä¹Í»¡¤Ë¤Ä¤¤¤Æ¤Ï¸å¤Ç½Ò¤Ù¤Þ¤¹¡£
  • max-age¤ÎÊݸ´ü´Ö¤ÏRFC¤Î4.1Àá¤Ç¹Í»¡¤·¤Æ¤ª¤ê60Æü(=5184000ÉÃ)¤¬Îɤ¤¤Î¤Ç¤Ï¡©¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¹Í»¡¤â¸å¤Ç½Ò¤Ù¤µ¤»¤Æ²¼¤µ¤¤¡£
  • includeSubDmain¤Ï¡¢¥µ¥Ö¥É¥á¥¤¥ó¤Þ¤Ç´Þ¤á¤ë¤«¡¢Î㤨¤Ð example.com ¤ËHPKP¤òÀßÄꤷ¤¿¤é¡¢sub1.example.com¤â¡¢www1.sub2.example.com¤âHPKP¤ÎÂоݤˤ¹¤ë¤È¤¤¤¦¥Õ¥é¥°¤Ç¤¹¡£¸½»þÅÀ¤Ç»ý¤Ã¤Æ¤¤¤Ê¤¤¤Ê¤é°Â°×¤ËÀßÄꤷ¤Ê¤¤Êý¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£
  • HPKP¤Ï¡¢CSP¤Ê¤É¤ÈƱÍͤˤ˥֥饦¥¶Â¦¤Ç¸¡¾Ú¤¹¤ë¤Î¤Ç¡¢¥µ¡¼¥Ð¡¼Â¦¤Ë¤Ï¥¨¥é¡¼¸¶°ø¤¬ÇÄ°®¤Ç¤­¤ºº¤¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£report-uri¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÇHPKP¤Î¥¨¥é¡¼¤¬È¯À¸¤·¤¿ºÝ¤Ë¡¢»ØÄꤷ¤¿URL¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËJSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤òPOST¤¹¤ë¤³¤È¤ÇÁ÷¿®¤·¤Þ¤¹¤Î¤Ç¡¢ÀßÄê¾å¤ÎÌäÂê¤òÃΤë¤Î¤ËÌòΩ¤Ä¤«¤â¤·¤ì¤Þ¤»¤ó¡£Jxck¤µ¤ó¤Î¥Ö¥í¥°¤ÇÀßÄê¤ò»î¤·¤Æ¤ß¤¿¤È¤¤¤¦¾Ü¤·¤¤Êó¹ð¤¬¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¤´Í÷¤Ë¤Ê¤ë¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£¥Ö¥í¥°¤Ç¤â½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥ì¥Ý¡¼¥È¤¬½ÐÎϤµ¤ì¤ë¾ò·ï¤¬¤è¤¯¤ï¤«¤é¤º¡¢¥Ö¥é¥¦¥¶¤ä¥Ð¡¼¥¸¥ç¥ó¤Ë¤â°Í¸¤¹¤ë¤è¤¦¤Ç¡¢»ä¤â¥ì¥Ý¡¼¥ÈÀ¸À®¤¬¤¦¤Þ¤¯¤Ç¤­¤Æ¤¤¤Þ¤»¤ó¡£
¤Þ¤¿¡¢HTTP¥Ø¥Ã¥À¤Ë¤Ä¤¤¤Æ "Public-Key-Pins" ¤Ç¤Ï¤Ê¤¯¡¢"Public-Key-Pins-Report-Only" ¤ÈÀßÄꤹ¤ì¤Ð¡¢¥Ö¥é¥¦¥¶¤Ç¤Ï¥¨¥é¡¼¤òȯÀ¸¤µ¤»¤ë¤³¤È¤Ê¤¯¡¢¥¨¥é¡¼¥ì¥Ý¡¼¥È¤Î¼ý½¸¤Ï¤Ç¤­¤Þ¤¹¤Î¤Ç¡¢¥Æ¥¹¥È¤ÎºÝ¤Ë¤³¤ì¤ò»È¤¦¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£

4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡

pin-sha256°À­¤ò»È¤Ã¤Æ¥Ô¥ó¤òÀßÄꤹ¤ë¤³¤È¤Ë¤è¤ê¡¢¥µ¡¼¥Ð¡¼¥ª¡¼¥Ê¡¼¤¬°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤ë¤³¤È¤òËɤ°¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¥Ô¥ó¤ÎÃͤϡ¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¤Î²¿¤ì¤«¤Î¾ÚÌÀ½ñ¤Ë°ìÃפ¹¤ë¤â¤Î¤òºÇÄã°ì¤Ä¡¢ ¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤¤â¤Î¤òºÇÄã°ì¤Ä¤Î·×2¤Ä°Ê¾å¤Ë¤è¤ê¹½À®¤µ¤ì¤Þ¤¹¡£
hpkp-intersect

4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡

¤µ¤Æ¡¢°ìÈÖ´Êñ¤Ê¥Ï¥Ã¥·¥åÃͤμèÆÀÊýË¡¤Ç¤¹¤¬¡¢¤¹¤Ç¤Ë¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄ꤬´°Î»¤·¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢Scott Helme»á¤ÎHPKP¥Ï¥Ã¥·¥å¤Î½êÆÀ¥Ú¡¼¥¸¤òÍøÍѤ¹¤ë¤Î¤¬Îɤ¤¤Ç¤¹¡£¼«Ê¬¤Î¤Ç¤â¾¿Í¤Î¤Ç¤âHTTPS¥µ¥¤¥È¤ÎURL¤òÆþÎϤ¹¤ì¤Ð¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î³Æ¾ÚÌÀ½ñ¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤Þ¤¹¡£
index
SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤«¤é½ç¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Þ¤Ç¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤ¬

pin-sha256="hUIG87ch71EZQYhZBEkq2VKBLjhussUw7nR8wyuY7rY="
¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢¤É¤Î¥Ô¥ó¤ò»È¤¦¤Î¤«¤ò·è¤á¤ÆHTTP¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¤À¤±¤Ç¤¹¡£

°ì¤Ä¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤη׻»¤Ç¤¹¤¬¡¢¾ÚÌÀ½ñ¤«¤é¤Ç¤â¡¢¾ÚÌÀ½ñȯ¹ÔÍ×µá(CSR/PKCS#10)¤Ç¤â¡¢ ÈëÌ©¸°¤È¸°¥¢¥ë¥´¥ê¥º¥à¤Ë¤è¤Ã¤Æ¤Ï¸°¥Ñ¥é¥á¡¼¥¿¡¼¤«¤éÃê½Ð¤µ¤ì¤¿PKCS#8¸ø³«¸°¤«¤é¤Ç¤â¥Ï¥Ã¥·¥åÃͤò·×»»¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤¿¤À¡¢¤¤¤í¤ó¤Ê¿Í¤Î¥Ö¥í¥°¤Ç¤Ï¡¢¤ï¤¶¤ï¤¶CSR¤òºî¤Ã¤Æ¤«¤é¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢Æä˾ÚÌÀ½ñ¤Î¤Þ¤À̵¤¤¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¾ì¹ç¤Ë¤Ï¡¢ ¤½¤ó¤Ê¤³¤È¤ò¤·¤Ê¤¯¤È¤â¡¢¸ø³«¸°¤«¤é¥Ï¥Ã¥·¥å·×»»¤¹¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ Àè¤Û¤É¤ÈƱÍͤˡ¢Scott Helme»á¤Î¥Ä¡¼¥ë¤ÇPEM·Á¼°¤ÎPKCS#8¸ø³«¸°¡¢CSR¡¢X.509¾ÚÌÀ½ñ¤òÆþÎϤ¹¤ì¤Ð¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤ë¥Ú¡¼¥¸¤¬¤¢¤ë¤Î¤Ç¡¢¤³¤ì¤ò»È¤¦¤Î¤¬´Êñ¤Ç¤¹¡£

¼êºî¶È¤Ç¥Ô¥ó¤ò¼èÆÀ¤¹¤ë¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤ò¼Â»Ü¤¹¤ì¤Ð¸ø³«¸°¤ÎSHA256¥Ï¥Ã¥·¥å¤Ç¤¢¤ë¥Ô¥ó¤ÎÃͤ¬¼èÆÀ¤Ç¤­¤Þ¤¹¡£Â¾¤Î²òÀâµ­»ö¤Ç¤Ï¡¢base64¥³¥Þ¥ó¥É¤ò»È¤Ã¤¿¤ê¡¢CSR¤ò¤¤¤Á¤¤¤ÁÀ¸À®¤¹¤ë¤Î¤ò¶¯À©¤µ¤»¤¿¤ê¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¤³¤³¤Ç¾Ò²ð¤¹¤ëÊýË¡¤ÏOpenSSL¥³¥Þ¥ó¥É¤·¤«»È¤ï¤º¡¢¤¤¤í¤¤¤í¤Ê¥±¡¼¥¹¤ËÂбþ¤·¤Æ¡¢¥Ô¥ó¤Î¼èÆÀ¤¬¤Ç¤­¤ë¤è¤¦¤Ë¡¢Îã¤ò¼¨¤·¤Æ¤ª¤­¤Þ¤·¤¿¡£

X.509¾ÚÌÀ½ñ¤«¤ésubjectPublicKeyInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl x509 -in PEM¾ÚÌÀ½ñ -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= CSR¤«¤ésubjectPKInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl req -in PEMCSR¥Õ¥¡¥¤¥ë -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8ÈëÌ©¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -in PKCS#8ÈëÌ©¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8¸ø³«¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -pubin -in PKCS#8¸ø³«¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= ÆÀ¤é¤ì¤¿Ãͤò pin-sha256="te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU=" ¤Î¤è¤¦¤Ë¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¡£
Ãͤò¼èÆÀ¤·¤¿¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTP¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢Apache HTTP Server¤Î¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤ËÀßÄꤷ¤Þ¤¹¡£
<VirtualHost _default_:443> ... Header set Public-Key-Pins \ "pin-sha256=\"MRnxhYBVCMAxZHwalTJ7ZVl6P2005lll4ttWr+RN1Ro=\"; \ pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; \ max-age=2592000; \ report-uri=\"https://report.example.com\"" ... Æɤߤ䤹¤µ¤Î¤¿¤á¤Ë¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤È²þ¹Ô¤òÆþ¤ì¤Æ¤¤¤Þ¤¹¡£2592000ÉäÏ30Æü¤Ç¤¹¡£

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ò1¤Ä°Ê¾åÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ËÜÀá¤Ç¤Ï¡¢¼¡¤Î2¤Ä¤Ëʬ¤±¤Æ¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

  • 1) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¤É¤ì¤«°ì¤Ä¤Î¤ß¤òÁªÂò¤¹¤ë¾ì¹ç¤ÎÈæ³Ó¸¡Æ¤
  • 2) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î2¤Ä°Ê¾å¡¢¤Þ¤¿¤ÏÁ´Éô¤òÁªÂò¤¹¤ë¾ì¹ç¤Î¹Í»¡

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ç¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¤è¤¦¤Ê3ÃʤξÚÌÀ½ñ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ÉÔÀµ¤Ê°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤¿¤á¤Ë¡¢ ¤É¤ì¤«°ì¤Ä¤Î¥Ô¥ó¤òÁª¤Ö¤È¤¹¤ì¤Ð¡¢¤É¤ì¤òÁª¤Ù¤ÐÎɤ¤¤Ç¤·¤ç¤¦¤«¡£ ¤³¤ì¤é3¤Ä¤Î¥±¡¼¥¹¤Ç¡¢¤½¤ì¤¾¤ìĹ½ê¡¢Ã»½ê¤¬¤¢¤ë¤Î¤Ç¡¢¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤Ï¡¢¿ôǯ¸å¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¢¤é¤«¤¸¤á·è¤Þ¤Ã¤Æ¤¤¤ë¾ì¹ç(=¸°»öÁ°À¸À®)¡¢·è¤Þ¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç(=¸°»öÁ°À¸À®¤Ê¤·)¤Î¥±¡¼¥¹¤Ëʬ¤±¤Æ¹Í»¡¤·¤Þ¤¹¡£

¾ÚÌÀ½ñĹ½êû½ê°ÂÁ´À­±¿ÍÑÉéô
­¡¥ë¡¼¥ÈCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬Ä¹¤¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯10ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • ¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥É¥Ô¥ó¤Ç¤Ï¥ë¡¼¥È¾ÚÌÀ½ñ¤ò»ÈÍÑ
  • ¸°¹¹¿·¸å¤Î¸ø³«¸°¤Ï»öÁ°¤Ë¤Ï¤ï¤«¤é¤º¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Ï»È¤¨¤Ê¤¤
  • ¿·¤·¤¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò¹ØÆþ¤·¤¿¾ì¹ç¤Ë¡¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¤È¤Ï¸Â¤é¤º¡¢¤½¤ÎºÝ¤Ï¥Ô¥ó¤Î°Ü¹Ô¤¬É¬Í×
  • ¥ë¡¼¥È¾ÚÌÀ½ñÇÛ²¼¤Î¾ÚÌÀ½ñ¤Î¿ô¤ÏÈó¾ï¤Ë¿¤¯¡¢¤½¤Îǧ¾Ú¶É¤¬ÉÔÀµ¤Ê¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¡¢¹¶·â¤òËɤ²¤Ê¤¤¥ê¥¹¥¯¤Ï¹â¤¤¡£Î㤨¤Ð¡¢¥·¥Þ¥ó¥Æ¥Ã¥¯¼Ò¤¬Google¤Ëµö²Ä¤Ê¤¯Google¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ö·ï¤¬¤¢¤Ã¤¿¡£
  • ¾ÚÌÀ½ñ¹¹¿·¤Ç¥ë¡¼¥ÈCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤ÏÄ㤤¤¬¡¢Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
Äã¹â
­¢Ãæ´ÖCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬¤ä¤äŤ¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¼ã´³¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯5ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • °ÂÁ´À­¤È±¿ÍÑÉéô¤ÎÌ̤ǥХé¥ó¥¹¤¬¼è¤ì¤Æ¤¤¤ë¤«¡©
  • ¥Ô¥ó¤¹¤ëÃæ´ÖCA¤Î¸ø³«¸°¤ËÊѹ¹¤¬¤Ê¤«¤Ã¤¿¾ì¹ç¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÏÈæ³ÓŪ³Ú
  • ¥Ô¥ó¤·¤Æ¤¤¤ëÃæ´ÖCA¤Î¸ø³«¸°¤¬¡¢¼¡²ó¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¹¹¿·»þ¤ËƱ¤¸¤Ç¤¢¤ë¤È¤¤¤¦ÊݾڤϤʤ¤¡£
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ë¤¬¡¢¤½¤ì¤¬»öÁ° ¼þÃΤµ¤ì¤Ê¤¤¤¿¤á¤Ë¡¢SSLÀܳÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤¬¹â¤¤
  • Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Î°Ü¹Ô¤Ë·¸¤ë±¿ÍÑÉéô¤Ï¡¢²ó¿ô¤â¡¢ºî¶ÈÉé²Ù¤â Èó¾ï¤Ë¹â¤¤
  • Ʊ¤¸Ãæ´ÖCA¤«¤é¡¢ÉÔÀµ¤ËƱ¤¸¥É¥á¥¤¥ó¤ËÂФ¹¤ë¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¤â¸¡¾ÚÍ­¸ú¤È¤Ê¤Ã¤Æ¤·¤Þ¤¦¥ê¥¹¥¯¤¬¤¢¤ë¡£­¡¤è¤ê¤Ï¥ê¥¹¥¯¤ÏÄ㤤¤¬¡¢­£­¤¤è¤ê¤Ï¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÇÃæ´ÖCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤Ï¤¢¤ëÄøÅÙ¤¢¤ê¡¢­¡¤è¤ê¤Ï³ÎΨ¤¬¹â¤¤¡£Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
̾̾
­£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®)
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¥Ô¥ó¤·¤¿¸ø³«¸°¤Î¥Þ¥Ã¥Á¥ó¥°ÀßÄê¤Ë¼ºÇÔ¤¹¤ë²ÄǽÀ­¤¬Ä㤯¡¢HPKPÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤ÏºÇ¤âÄ㤤
  • HPKP¤ÎRFC¤Ç¤Ï¡¢(¤µ¤é¤Ã¤È´Êñ¤Ë¤Ç¤­¤ë¤È¼è¤ì¤ë¤è¤¦¤Êµ­½Ò¤¬¤µ¤ì¤Æ¤ª¤ê)¿ä¾©¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ë¼è¤ì¤ëÊýË¡
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¡¢Êѹ¹¤µ¤ì¤ë¥Ô¥ó¤¬¤¢¤é¤«¤¸¤á¤ï¤«¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢(max-ageÆâ¤ËºÆÅÙ¾ÚÌÀ½ñ¹¹¿·¤ò¤¹¤ë¤³¤È¤ò¤·¤Ê¤±¤ì¤Ð)max-age¤ò¤¢¤Þ¤êµ¤¤Ë¤»¤º¤Ë¾ÚÌÀ½ñ¤Î¹¹¿·¤¬¤Ç¤­¤ë
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¸°¥Ú¥¢¤Î»öÁ°À¸À®¤¬²Äǽ¤Ê¤Î¤Ï¡¢OpenSSLÅù¤Ë¤è¤ê¼êºî¶È¤Ç¸°¥Ú¥¢À¸À®¤·¤¿¾ì¹ç¤Î¤ß¤Ç¤¢¤ê¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô»þ¤Ë¡¢CSR¤ò¼«Á°¤ÇÀ¸À®¤¹¤ëɬÍפ¬¤Ê¤¯¡¢¥Ö¥é¥¦¥¶¤Î¥³¥ó¥Ý¡¼¥Í¥ó¥È¤Ç¼«Æ°Åª¤Ë¸°¥Ú¥¢À¸À®¤¹¤ë¤è¤¦¤Ê¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Î¾ì¹ç¤Ë¤Ï¡¢ËÜÊý¼°¤Ï»È¤¨¤Ê¤¤
  • Let's Encrypt¤Ï»È¤¨¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¼«Æ°¹¹¿·¤Ë·¸¤ë±¿ÍÑÉéô¤Î·Ú¸º¤Ï¸«¹þ¤á¤Ê¤¤
  • ¸°¥Ú¥¢¤Ï°ìÈ̤ˡ¢¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¹Ô¤ï¤ì¤ë¤â¤Î¤À¤¬¡¢¤½¤ì¤ò2ǯÄøÅÙÁ°¤Ë¼Â»Ü¤¹¤ë¤³¤È¤Ë¤Ê¤ë¡£»öÁ°À¸À®¤·¤Æ¤ª¤¯¤È¡¢¤½¤Îʬ¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤Ï¹â¤¯¡¢µ¡Ì©Êݴɤα¿ÍÑÉéô¤ÏÂ礭¤¤
  • ¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¡¢¤½¤ì¤Ê¤ê¤ËÀßÄêÊѹ¹¤Ëµ¤¤ò»È¤¦É¬Íפ¬¤¢¤ë¡£¤Þ¤¿¡¢¤½¤Î²ó¿ô¤â2ǯ¼åÄøÅÙ¤ª¤­¤Ç¤¢¤ê¡¢±¿ÍÑÉéô¤ÏÈæ³ÓŪ¹â¤¤
̾̾
­¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®¤Ê¤·)
  • Á´¤Æ¤ò¼«¸ÊÀ©¸æ¤Ç¤­¡¢ÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤Ï­£¤ÈƱÄøÅ٤˹⤤
  • ­£¤ËÈæ¤Ù¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤âÄ㤤
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤¨¤ë´ü´Ö¤¬¡¢É¬¤º (max-age + ¦Á)¡ß2 ʬ¤À¤±¸º¤ë¡£2ǯʪ¾ÚÌÀ½ñ¤Î¾ì¹ç¡¢max-age¤ò2¥ö·î¤È¤·¤¿¾ì¹ç¡¢¥Æ¥¹¥È¤ä;͵¤â´Þ¤á4¡Á5¥ö·îÄøÅÙ¤Ïû¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¡¢¾ÚÌÀ½ñ¤ÎÈñÍÑÉéô¤¬Áý¤¨¤ë
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age+¦Á¤Ç¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤µ¤»¤ì¤Ð¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤Ê¤¬¤é¥Ô¥ó¤ÎÊѹ¹¤ò¹Ô¤¦¤³¤È¤Ë¤Ê¤ë¡£±¿ÍѤÎÉéô¤Ï¤¢¤ë¤¬¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤«Ç§¾Ú¶É¼¡Âè¤Ç¤É¤¦¤Ê¤ë¤«¤ï¤«¤é¤Ê¤¤­¡­¢¤ËÈæ¤Ù¤Æ¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKPÀßÄêÊѹ¹¤Î¥¹¥±¥¸¥å¡¼¥ë¤¬ÁȤá¤ë¤Î¤Ç¡¢Äê·¿±¿ÍѤˤǤ­¤ë¤¿¤á±¿ÍѤο´ÍýŪÉéô¤Ï­¡­¢¤è¤ê¤Ï¼ã´³¾¯¤Ê¤¤
  • ¹âÃæ
    ¤Ç¤Ï¡¢­¡¡Á­¤¤Ç¤Ï¡¢²¿¤òÁªÂò¤¹¤ë¤«¤Ç¤¹¤¬¡¢¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥Ô¥ó¤¬»È¤¨¤Ê¤¤°ìÈÌ¥µ¥¤¥È¤Î¾ì¹ç¤Ï¡¢ ­¢¡Á­£¤Î¤¤¤º¤ì¤«¤¬ÂÅÅö¤À¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤ì¤â±¿ÍѤÎÉéô¤ä¡¢¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ê¡¢ ¸Ä¿Í¤¬¥Æ¥¹¥ÈÌÜŪ¤ÇÀßÄꤹ¤ë¾ì¹ç¤Ï²¿¤Ç¤âÎɤ¤¤È¤·¤Æ¡¢ ¼«Ê¬¤¬¾¦ÍÑ¥µ¥¤¥È¤Î±¿ÍѤòǤ¤µ¤ì¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢¤â¤Ã¤È¤â·üÇ°¤¹¤Ù¤­¤Ï Ĺ´ü´Ö¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ê¥¯¥ì¡¼¥à¤¬µ¯¤­¤ë¤³¤È¤Ê¤Î¤Ç¡¢ HPKP¤Ï»È¤ï¤Ê¤¤¤È¤¤¤¦È½ÃǤò¤¹¤ë¤È»×¤¤¤Þ¤¹¡£

    4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡

    4.2Àá¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¤Ç¡¢ ¤É¤Î¤è¤¦¤Ê°ã¤¤¤¬¤¢¤ë¤Î¤«¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤Þ¤·¤¿¡£

    ËÜÀá¤Ç¤Ï¡¢4.2Àá¤Î¹Í»¡¤ò¼õ¤±¤Æ¡¢ÀßÄêÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹ÍøÍÑÉÔǽ¤ò Ëɤ®¤Ê¤¬¤é¡¢HPKP¤ò»È¤Ã¤¿¥µ¥¤¥È¤Î¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥À¤ÎÊѹ¹¤ò¡¢¤É¤Î¤è¤¦¤Ë±¿ÍѤ¹¤ì¤Ð¤è¤¤¤Î¤«¤Ë¤Ä¤¤¤Æ ¹Í»¡¤·¤Þ¤¹¡£

    HPKP¤ò»È¤Ã¤¿¾ì¹ç¤Î¾ÚÌÀ½ñ¹¹¿·¤Î±¿ÍѤλÅÊý¤Ï4¤Ä¤Î¥±¡¼¥¹¤Ë¤ï¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

    • a)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë³Îǧ¤·¡¢¥Ô¥ó¤ò¹Ô¤Ã¤Æ¤¤¤ë¸°¤ËÊѹ¹¤¬¤Ê¤¤¾ì¹ç
    • b)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤Ã¤Æ¤¤¤ë¾ì¹ç
    • c)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤ë¾ì¹ç
    • d)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤Ê¤¤¾ì¹ç
    ¤³¤Î¤è¤¦¤ÊÀâÌÀ¤Ç¤Ï¡¢¶ñÂÎŪ¤Ê¥¤¥á¡¼¥¸¤¬¤ï¤«¤Ê¤¤¤È»×¤¤¤Þ¤¹¤Î¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¾ÚÌÀ½ñ¤Ëʬ¤±¤Æ¶ñÂÎÎã¤ò¼¨¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    • a-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Ë¤ÏÊѹ¹¤¬¤Ê¤¤¤³¤È¤¬¤ï¤«¤Ã¤¿¾ì¹ç¡£(¸ÜµÒ¥µ¥Ý¡¼¥È¤Ë±³¤ò¤Ä¤«¤ì¤¿¤é¡¢°ìÉô¥æ¡¼¥¶¤Ë2¥ö·î(=max-age)¥µ¡¼¥Ó¥¹¾ã³²¤Ë¤Ê¤ë¥ê¥¹¥¯¤¢¤ê¡£)
      hpkp-move1
    • b-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬¤É¤ì¤ËÊѹ¹¤µ¤ì¤ë¤«¶µ¤¨¤Æ¤â¤é¤¨¤¿¾ì¹ç¡£¤â¤·¤¯¤Ï¥µ¥Ý¡¼¥È¥Ú¡¼¥¸¤Ê¤É¤Ç¹ðÃΤµ¤ì¤Æ¤¤¤ë¾ì¹ç¡£¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤ÎÊѹ¹¡¢EV¤Ø¤ÎÊѹ¹¤Ê¤É¤âƱÍÍ¡£
      hpkp-move-b1
    • b-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢OpenSSLÅù¤Ç¼¡²ó¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¹¤Ç¤Ë»öÁ°À¸À®¤µ¤ì¡¢Êݴɤµ¤ì¤Æ¤¤¤ë¾ì¹ç
      hpkp-move-b2
    • c-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢¼¡²ó¾ÚÌÀ½ñ¹¹¿·¸å¤Î¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÊѹ¹¤Ë¤Ä¤¤¤Æ¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤«¤é¤Î²óÅú¤¬ÆÀ¤é¤ì¤º¡¢Êѹ¹¤µ¤ì¤ë¤«¤É¤¦¤«È½ÃǤ¬¤Ä¤«¤Ê¤¤¤¿¤á¡¢»ÅÊý¤Ê¤¯¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤·¤¿¤é¡¢¤ä¤Ï¤ê¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÏÊѹ¹¤Ë¤Ê¤Ã¤Æ¤¤¤¿¾ì¹ç(Êѹ¹¤¬¤Ê¤±¤ì¤Ða-1¤Î¥±¡¼¥¹¤È¤Ê¤ë¡£)
      hpkp-move-c1
    • c-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢OpenSSL¤ò»È¤ï¤º¡¢¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Ç¸°¥Ú¥¢À¸À®¤¹¤ë¥¿¥¤¥×¤Îǧ¾Ú¶É¤Ç¤¢¤ë¤¿¤á¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç
      hpkp-move-c2
    • c-3) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢HSMµ¡Ç½¤ò»È¤¦SSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤ª¤ê¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç¡£°Ü¹Ô¤Î¿Þ¤Ïc-2¤ÈƱ¤¸¤Ë¤Ê¤ê¤Þ¤¹
    • d-1) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢Let's Encrypt¤ä°ìÉô¤Îǧ¾Ú¶É¤Î¤è¤¦¤Ë¡¢¾ÚÌÀ½ñ¹¹¿·¸å¡¢Á°¤Î¾ÚÌÀ½ñ¤Ï¨»þ¤Ë¼º¸ú½èÍý¤¬¤µ¤ì¡¢max-age + ¦Á¤Î´ü´Ö¤ÎÍ­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬¤Ç¤­¤Ê¤¤¾ì¹ç
      hpkp-move-d1
    ¼«Ê¬¤Î±¿ÍѤ¬¤É¤Î¥±¡¼¥¹¤Ë¤¢¤Æ¤Ï¤Þ¤ë¤«¡¢¾åµ­¤ÎÀâÌÀ¤Ç¤ï¤«¤Ã¤¿¤Ç¤·¤ç¤¦¤«¡£¤µ¤Æ¡¢a¡Ád¤Î¥±¡¼¥¹¤Ç¡¢¤É¤Î¤è¤¦¤ËÂбþ¤¹¤ë¤«¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹¡£
    • a¤ÎÂбþ) ¾ÚÌÀ½ñ¹¹¿·¤ËºÝ¤·¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄê¤ÏÊѹ¹¤·¤Ê¤¯¤Æ¤è¤¤
    • b¤ÎÂбþ) max-age¤ò¤Ï¤¢¤Þ¤êµ¤¤Ë¤»¤º¡¢¾ÚÌÀ½ñ¹¹¿·¸å¤Î¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¾ÚÌÀ½ñÀßÄê¡¢HPKP¥Ø¥Ã¥À¤òÀßÄêÊѹ¹¤·¤Æ¤è¤¤
    • c¤ÎÂбþ) ¤â¤Ã¤È¤â¿À·Ð¤ò¸¯¤¦¡¢max-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄ꤬ɬÍס£¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎÁ°¸å¤Ç¡¢Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Í×
    • d¤ÎÂбþ) ¤³¤Î¥±¡¼¥¹¤Ç¤ÏHPKP¤Ï»È¤¨¤Ê¤¤¡£Â¾¤Î¾ÚÌÀ½ñ¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ø¤Î¥Ô¥óÀßÄê¤ÎÊѹ¹¤ò¸¡Æ¤¤¹¤ëɬÍפ¬¤¢¤ë¡£»È¤Ã¤Æ¤â¡¢°ìÉô¥æ¡¼¥¶¤Ë¥µ¡¼¥Ó¥¹ÀܳÉÔǽ¾ã³²¤¬max-ageÄøÅÙȯÀ¸¤¹¤ë¡£
    ¤É¤ó¤Ê¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄê¤Î°Ü¹Ô¤ò¹Ô¤¦¤Ë¤·¤Æ¤â¡¢¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¡¢max-age¡¢ÈëÌ©¸°¤ÎÊݴɤʤɡ¢ÍÍ¡¹¤Ê¤³¤È¤Ëµ¤¤ò¸¯¤¤¤Ê¤¬¤é¡¢°Ü¹Ô·×²è¤òΩ¤Æ¡¢°Ü¹Ô¤·¤Ê¤¤¤È¤Ê¤é¤º¡¢¤­¤Á¤ó¤È¹Í¤¨¤Ê¤¤¤ÈĹ´ü¤Î¥µ¡¼¥Ó¥¹¾ã³²È¯À¸¤¹¤ë¤È¤¤¤¦±¿ÍѾå¤ÎÉéô¤ä¥ê¥¹¥¯¤ÏÂ礭¤¤¤È»×¤¤¤Þ¤¹¡£

    4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¿Ì¾¤Î¤¤¤±¤Æ¤Ê¤µ

    Àè¤Ë½Ò¤Ù¤¿¤è¤¦¤Ë¡¢²¿¤«°ì¤Ä¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¥Ô¥ó¤òɬ¤º´Þ¤á¤Ê¤±¤ì¤Ð¤¤¤±¤Þ¤»¤ó¡£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤ò¤¹¤ë¾ì¹ç¤Ï¡¢¸½ºß»È¤Ã¤Æ¤¤¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤ËÂФ·¤Æ¡¢¾­Íè¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç»È¤¦Í½Äê¤ÎÈëÌ©¸°¤â»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤±¤ë¤Ê¤é¡¢¤½¤Î¸ø³«¸°¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤·¤ÆÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢¤Þ¤µ¤·¤¯¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»ÈÍѤǤ­¡¢(¸å½Ò¤ÎÌäÂꤢ¤ê¤¢¤ê¤Ç¤¹¤¬)¥¹¥à¡¼¥¹¤Ê¾ÚÌÀ½ñ¤È¥Ô¥ó¤Î°Ü¹Ô¤¬²Äǽ¤Ç¤¹¡£

    ¤·¤«¤·¤Ê¤¬¤é¡¢ÈëÌ©¸°¤ò°Ü¹ÔÀè¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»öÁ°À¸À®¤·¤Æ¤ª¤­¡¢¤³¤ì¤¬ÍøÍѤǤ­¤ë¤È¤¤¤¦¥±¡¼¥¹¤Ï¥ì¥¢¥±¡¼¥¹¤Ç¤¹¡£Î㤨¤Ð°Ê²¼¤Î°ìÈ̤˵¯¤³¤ê¤¦¤ë¥±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë¡¢¤½¤Î»öÁ°À¸À®¤·¤¿ÈëÌ©¸°¤ò»ÈÍѤ¹¤ë¤³¤È¤Ï¤Ç¤­¤Þ¤»¤ó¡£

    CA¾ÚÌÀ½ñ¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×Pin
    ǧ¾Ú¶É¤¬¹Ô¤¦¾ÚÌÀ½ñ¹¹¿·¤â¤·¤¯¤Ï¸°¹¹¿·¤Ë¤ª¤¤¤Æ¡¢»öÁ°¤Ë°Ü¹ÔÀè¤ÎÈëÌ©¸°¤¬Â¸ºß¤¹¤ë¤È¤¤¤¦¤³¤È¤â¤¢¤ê¤Þ¤»¤ó¤·¡¢°Ü¹ÔÀè¤Î¸ø³«¸°¤ÎPin¤ò¥æ¡¼¥¶¤Ë¸ø³«¤·¤Æ¤¯¤ì¤ëǧ¾Ú¶É¤â¤¢¤ê¤Þ¤»¤ó¡£
    HSM¤ò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×
    ǧ¾Ú¶É¤äSSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤¤¤ë¥±¡¼¥¹¤Ç¤Ï¡¢ÈëÌ©¸°¤ò¼è¤ê½Ð¤·ÉÔ²Äǽ¤Ê¥Ï¡¼¥É¥¦¥§¥¢¥»¥­¥å¥ê¥Æ¥£¥â¥¸¥å¡¼¥ë(HSM)¤Ç´ÉÍý¤¹¤ë¤Î¤¬°ìÈÌŪ¤Ç¤¹¡£HSM¤ò»ÈÍѤ·¤¿¸°¹¹¿·¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»öÁ°¤ËÈëÌ©¸°¤ò´ö¤Ä¤«À¸À®¤·¤Æ¤ª¤­¡¢¹¹¿·»þ¤Ë¤½¤ì¤ò»ØÄꤷ¤Æ¹¹¿·¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£¹¹¿·»þ¤Ë¤Ï¡¢¿·¤¿¤Ë¸°¥Ú¥¢¤òÀ¸À®¤·¤Æ¡¢¤³¤ì¤ò»ÈÍѤ·¤Þ¤¹¡£¤³¤Î¤¿¤á¤Ë¡¢Ç§¾Ú¶É¤Ç¤Ï¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤ò¸ø³«¤¹¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤Î¤Ç¤¹¡£
    ¥¦¥§¥Ö²èÌ̤Ǹ°¥Ú¥¢À¸À®¤·¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¾ì¹ç
    ǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤Ï¡¢¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤ò»ÈÍѤ·¤Æ¡¢¥Ü¥¿¥ó¤ò²¡¤»¤Ð¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤ò¹Ô¤¤¡¢¤³¤ì¤òÍѤ¤¤Æ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò³ÊǼ¤¹¤ë¤â¤Î¤¬¤¢¤ê¤Þ¤¹¡£¤½¤Î¤è¤¦¤Êǧ¾Ú¶É¤Ç¤Ï¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤¤¤¿¸°¤òȯ¹Ô»þ¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    Let's Encrypt¤ò»È¤¦¾ì¹ç
    ̵ÎÁ¤ÇÀ¤³¦°ì¤Îȯ¹Ô¿ô¤ò¸Ø¤ë¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ç¤¢¤ëLet's Encrypt¤Ç¤Ï¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô¥×¥í¥»¥¹¤¬¥¹¥¯¥ê¥×¥È¤Ë¤è¤ê¼«Æ°²½¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤³¤ì¤â¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤µ¤ì¤ë¤Î¤Ç¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤¤¤¿¸°¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    ËÜÅö¤Î°ÕÌ£¤Ç¤Î¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤¬»È¤¨¤ë¤Î¤Ï¡¢°Ê²¼¤Î¾ì¹ç¤Ë¤Î¤ß²Äǽ¤Ç¤¢¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£
    • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËÂФ·¤ÆPin¤ò¤¹¤ë¾ì¹ç¤Ç¡¢¤«¤Ä¡¢
    • OpenSSL¤Ê¤É¤Î¥³¥Þ¥ó¥É¤Ç¸°¥Ú¥¢À¸À®¤·¡¢¥Þ¥Ë¥å¥¢¥ë¤Ç¾ÚÌÀ½ñȯ¹ÔÍ×µá¤òÀ¸À®¤·¤Æ¡¢¾ÚÌÀ½ñȯ¹Ô¤·¤Æ¤â¤é¤¨¤ëǧ¾Ú¶É¤ò»ÈÍѤ¹¤ë¾ì¹ç
    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¤â¤Î¤ò¡¢¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤È¸Æ¤Ö¤Î¤Ï¡¢¾å½Ò¤Î¤Û¤È¤ó¤É¤Î¥±¡¼¥¹¤ÇŬÀڤǤʤ¤¤Î¤Ç¡¢Ì¾¾Î¤Ë¤ÏÌäÂ꤬¤¢¤ë¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

    4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ

    ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¾ì¹ç¡¢ °ìÃפ·¤Ê¤¤¥Ô¥ó¤Ï¡¢¾­Íè¤Î¹¹¿·À褬¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï²¿¤Ç¤â¤è¤¯¡¢ ¤µ¤é¤Ë¤Ï¡¢ËÜʪ¤Î¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפ⤢¤ê¤Þ¤»¤ó¡£ SHA256¤Ê¤Î¤Ç¡¢Ã±¤Ë32¥Ð¥¤¥È¤ÎÃͤǤ¢¤ì¤Ð²¿¤Ç¤âÎɤ¤¤ï¤±¤Ç¤¹¡£

    ¤¿¤À¡¢HPKP¥Ø¥Ã¥À¤Ç°ì¸«¤·¤Æ°ìÃפ·¤Ê¤¤¥Ô¥ó¤À¤È¤ï¤«¤Ã¤¿¤Û¤¦¤¬¡¢ ¸í¤Ã¤Æºï½ü¤¹¤ë¤Ê¤É¤Î±¿Íѥߥ¹¤òËɤ°°ÕÌ£¤Ç¤âÎɤ¤¤È¹Í¤¨¤Æ¤ª¤ê¡¢ ¤½¤³¤Ç¡¢¥ª¥¹¥¹¥á¤·¤¿¤¤¤Î¤¬¡¢°Ê²¼¤ÎÃͤǤ¹¡£

    pin-sha256="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; ¤³¤ì¤Ï¡¢16¿Ê¿ô¤Ç 0000000000000000000000000000000000000000000000000000000000000000 (32¥Ð¥¤¥È)
    ¤È¤Ê¤ê¤Þ¤¹¡£Î®¹Ô¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤¤¤Þ¤¹w

    4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤

    ¤³¤ì¤Þ¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È°ìÃפ¹¤ë¥Ô¥ó¤Î¿ô¤Ï1¤Ä¤òÁ°Äó¤ËµÄÏÀ¤·¤Æ¤­¤Þ¤·¤¿¤¬¡¢ ¤³¤ì¤òÊ£¿ô¡¢Î㤨¤Ð¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤È¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤È¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò°ìÃפµ¤»¤¿¾ì¹ç¤Ë¤Ï¡¢ ¤É¤¦¤Ê¤ë¤Î¤«¤ò¹Í»¡¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    ¤Þ¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤäơ¢¼¡¤ËÃæ´ÖCA¾ÚÌÀ½ñ¡¢¼¡¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤òÄɲ䷤Ƥ¤¤¯ ¤³¤È¤ò¹Í¤¨¤Æ¤Þ¤·¤ç¤¦¡£ Ʊ¤¸¸°¥Ú¥¢¤òÊ£¿ô¤Îǧ¾Ú¶É¤«¤é¤Î¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤Ç»ÈÍѤ·¤Ê¤¤¤È¤¤¤¦¡¢Åö¤¿¤êÁ°¤Î»ö¤òÁ°Äó¤È¤·¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤĻö¤¬ºÇ¤â¡¢ÈϰϤ¬¸ÂÄêŪ¤Ç¥Ë¥»HTTPS¤ËÂФ¹¤ë ºÇ¤â¶¯¤¤Âкö¤Ç¤¢¤ë¤È¡¢4.2Àá­£­¤¤Ç½Ò¤Ù¤Þ¤·¤¿¡£

    ¤½¤³¤ËÃæ´ÖCA¾ÚÌÀ½ñ¤Î°ìÃפ¹¤ë¥Ô¥ó¤ò­¤·¤Æ¤ß¤¿¤é¤É¤¦¤Ç¤·¤ç¤¦¤«¡£¥Ô¥ó¤ÇÆÃÄꤹ¤ë¾ÚÌÀ½ñ¤ÎÈϰϤÏÁ´¤¯ÊѤï¤ê¤Þ¤»¤Î¤Ç¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò­¤¹¤³¤È¤Ç¡¢¥Ë¥»HTTPS¥µ¥¤¥Èºî¤ê¤¬Æñ¤·¤¯¤Ê¤Ã¤¿¤ê¤Ï¤»¤º¡¢¥»¥­¥å¥ê¥Æ¥£¤Î¶¯ÅÙ¤â¾å¤¬¤ê¤Þ¤»¤ó¡£¤Þ¤¿¡¢±¿ÍÑÌ̤Ǥϡ¢¥Ô¥ó¤Î°ìÃפÎÇÛ褬¥Ô¥ó°ì¤Ä¤ÈÈæ¤Ù¤ÆÆñ¤·¤¯¡¢¤Þ¤¿¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤À¤±¤Ç´ÉÍý¤Ç¤­¤Ê¤¤ÈϰϤȤʤë¤Î¤Ç¾ÚÌÀ½ñ¤ä¥Ô¥ó¥Ø¥Ã¥ÀÊѹ¹¤Î±¿ÍѤϳÊÃʤËÊ£»¨¤ÇÌÌÅݤˤʤê¤Þ¤¹¡£¤³¤ì¤ËÂФ·¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò²Ã¤¨¤¿¾ì¹ç¤Ç¤âÁ´¤¯Æ±¤¸¤³¤È¤Ç¤¹¡£¥»¥­¥å¥ê¥Æ¥£¶¯Å٤Ͼ夬¤é¤º¡¢°Ü¹Ô¤Î±¿ÍѤÏÊ£»¨¤Ë¤Ê¤ë¤Î¤Ç¤¹¡£
    hpkp-multipin

    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¤Î¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤¬¤Ê¤¯¡¢¤«¤¨¤Ã¤Æ±¿ÍѤ¬Ê£»¨¤Ë¤Ê¤ë¤À¤±¤Ê¤Î¤Ç¡¢»ß¤á¤¿¤Û¤¦¤¬¤è¤¤¤È¤¤¤¦¤³¤È¤¬¸À¤¨¤Þ¤¹¡£

    4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê

    º£¸åÅöÌ̤ϡ¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¡¢Ãæ´Öǧ¾Ú¶É¤«¤éȯ¹Ô¤·¤Æ¤â¤é¤¦¾ì¹ç¤Ë¡¢¤½¤Îǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ËPin¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤½¤Î¾ì¹ç¤Ë¤Ï¡¢¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤Ï¡¢Ç§¾Ú¶É¤«¤é°Ü¹ÔÀè¤ÎPin¤ò¶µ¤¨¤Æ¤â¤é¤¨¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¤Î¤Ç¡¢¤Ê¤ó¤Ç¤âŬÅö¤ÊÃͤÇÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפâ¤Ê¤¯¡¢32¥Ð¥¤¥È¤ÎÃͤÎBase64ɽ¸½¤Ç¤¢¤ì¤Ð(¾×Æͤ·¤Ê¤±¤ì¤Ð)²¿¤Ç¤âÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£

    ¤¿¤À¤·¡¢¡ÖÅöÌ̤ϡפȽñ¤­¤Þ¤·¤¿¤¬¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ÈÍѤ·¤Æ¤¤¤¿Ãæ´Öǧ¾Ú¶É¤¬¡¢¼¡¤Î¾ÚÌÀ½ñȯ¹Ô»þ¤Ë¤âƱ¤¸Ãæ´Öǧ¾Ú¶É¡¢Æ±¤¸¸ø³«¸°¤Ç¤¢¤ë¤È¤¤¤¦Êݾڤ¬¤¢¤ê¤Þ¤»¤ó¡£°Ê²¼¤ÎÍýͳ¤Ë¤è¤ê¡¢Æ±¤¸Ãæ´ÖCA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Ê¤¤²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£

    • Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤Ï¡¢5ǯ¤«¤é10ǯÄøÅ٤Ǥ¹¡£¤½¤ÎÍ­¸ú´ü¸Â¤ÎȾʬÄøÅÙ¤«¤é¡¢ºÇŤǤâ2¡¢3ǯ¤ò»Ä¤·¤Æ¡¢¤½¤ÎÃæ´Öǧ¾Ú¶É¤«¤é¤Ï¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤Ê¤¯¤Ê¤ê¡¢ÍøÍѼԤÏÊ̤ÎCA¤«¤é¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¦¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    • ¾ÚÌÀ½ñ¤Îȯ¹Ô¿ôËç¿ô¤¬Â¿¤¯¤Ê¤ë¤È¡¢¤½¤ì¤À¤±¡¢¾ÚÌÀ½ñ¼º¸ú¥ê¥¹¥È(CRL)¤Î¥µ¥¤¥º¤âÂ礭¤¯¤Ê¤ê¤Þ¤¹¤Î¤Ç¡¢°ì¤Ä¤ÎÃæ´ÖCA¤«¤éȯ¹ÔËç¿ô¤òÀ©¸Â¤·¤Æ¡¢°Ê¹ß¤Î¾ÚÌÀ½ñȯ¹Ô¤Ï¡¢¿·¤·¤¤Ãæ´ÖCA¤«¤éȯ¹Ô¤µ¤»¤ë¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£
    • ¶áǯ¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¡¢¥µ¥¤¥Ð¡¼¹¶·â¤Ê¤É¤«¤é¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹Á´ÂΤ䡢ÆÃÄê¤ÎÃæ´ÖCA¤¬±¿ÍÑÄä»ß¡¢¥µ¡¼¥Ó¥¹½ªÎ»¤Ë¤Ê¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    ¤³¤Î¤è¤¦¤Ê¾ì¹ç¤Ë¤Ï¡¢Æ±¤¸Ãæ´ÖCA¤ÎPin¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£

    Í­¸ú¤ÊPin¤òÀßÄꤷ¤¿Æ±¤¸¥ë¡¼¥ÈCA¤â¤·¤¯¤ÏÃæ´ÖCA¤«¤é¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤¬È¯¹Ô¤·¤Æ¤â¤é¤¨¤Ê¤¤¤È¤ï¤«¤Ã¤¿ºÝ¤Ë¡¢Ê̤ξÚÌÀ½ñ¤Î°Ü¹Ô¤Ï¡¢¤¹¤°¤Ë¤Ï¤Ç¤­¤º¡¢max-age¤Ç»ØÄꤷ¤¿´ü´Ö¡¢°ìÈ̤ˤÏ1¥ö·î¤«¤é1ǯÄøÅ٤ϡ¢¾ÚÌÀ½ñ¤ÎÆþ¤ìÂؤ¨¤¬¤Ç¤­¤Þ¤»¤ó¡£ºÇ°­¤Î¾ì¹ç¡¢¤½¤Î´ü´Ö¡¢Í­¸ú¤ÊHTTPSÄÌ¿®¤¬¤Ç¤­¤Ê¤¤¤È¤¤¤¦»ö¤â¤¢¤ê¤¨¤Þ¤¹¡£

    ¤³¤Î¤è¤¦¤Ê±Æ¶Á¤ò¡¢·Ú¸º¤¹¤ëÊýË¡¤¬Ìµ¤¤¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£¾ÚÌÀ½ñ¤ò¹¹¿·¤¹¤ë¤ÈȽÃǤ·¡¢Æ±¤¸Ãæ´ÖCA¤«¤é¾ÚÌÀ½ñ¤¬È¯¹Ô¤Ç¤­¤Ê¤¤¤È¤ï¤«¤Ã¤¿»þÅÀA¤Ç¡¢¤½¤³¤«¤émax-age·Ð²á¤·¤¿»þÅÀB¤òµ­Ï¿¤·¤Æ¤ª¤­¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò¼èÆÀ¤·¤Þ¤¹¡£(¤¬»È¤¤¤Þ¤»¤ó¡£)¡£¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤·¤Æ¡¢¤½¤Î¿·¤·¤¤¾ÚÌÀ½ñ¤ÎÊ̤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ÎPin¤ò¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£»þÅÀB¤Ë¤Ê¤Ã¤Æ¡¢½é¤á¤Æ¿·¤·¤¤¾ÚÌÀ½ñ¤Ø¤ÎÆþ¤ìÂؤ¨¤ò¼Â»Ü¤·¤Þ¤¹¡£¤³¤Î»ö¤«¤é¡¢max-age¤ò1ǯÅù¡¢Ä¹¤¯¤È¤ì¤Ðµ¶¥µ¥¤¥È¤ÎËɻߤˤÏÌòΩ¤Á¤Þ¤¹¤¬¡¢º£½Ò¤Ù¤¿¤è¤¦¤Ê¾ÚÌÀ½ñ¹¹¿·¤Î¥ê¥¹¥¯¤â¤¢¤ê¡¢È¾·î¤«¤é1¥ö·îÄøÅÙ¤ËÀßÄꤹ¤ë¤Î¤¬ÂÅÅö¤Ê¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎºÝ¤Ë¡¢2¤Ä¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¡¢Î㤨¤ÐSymantec¤ÈGlobalSign¤ò¸ò¸ß¤Ë¾è¤ê´¹¤¨¤ë¤È¤·¤Æ¡¢¤³¤ì¤é2¤Ä¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤ò¥Ø¥Ã¥À¤ËÀßÄꤷ¡¢»ÈÍѤ·¤Æ¤Ê¤¤¤Ê¤¤Êý¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤¹¤ë¤Î¤Ï¡¢¤Ê¤«¤Ê¤«¸­¤¤ÊýË¡¤À¤È»×¤¤¤Þ¤¹¡£
    hpkp-two

    ¤·¤«¤·¤Ê¤¬¤é¡¢Á°½Ò¤ÎÍýͳ¤Ë¤è¤ê¡¢Symantec¤Î¼¡¤Ëȯ¹Ô¤·¤Æ¤â¤é¤ª¤¦¤ÈͽÄꤷ¤Æ¤¤¤¿GlobalSign¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤¬»È¤¨¤Ê¤¤¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£

    °Ê¾å¤Î¤è¤¦¤Ë¡¢CA¾ÚÌÀ½ñ¤ËPin¤òÂǤĥ±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Îµ¤¤Þ¤°¤ì¤Ë¥Ó¥¯¥Ó¥¯¤·¤Ê¤¬¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¤ò±¿ÍѤ¹¤ë¤Î¤Ï¤È¤Æ¤âÌÌÅݤÀ¤È»×¤¤¤Þ¤»¤ó¤«? ¤½¤ì¤Ê¤é¡¢¤Þ¤À¡¢¼«Ê¬¤Ç¥³¥ó¥È¥í¡¼¥ë¤Ç¤­¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËPin¤òÂǤÄÊý¤¬¡¢ÌÌÅݤǤâÎɤ¤¤è¤¦¤Êµ¤¤â¤·¤Æ¤­¤Þ¤¹¡£

    4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë

    RFC 7469 4.1Àá¤Î ¥»¥­¥å¥ê¥Æ¥£¹Í»¡¤Ë¤ª¤¤¤Æ¡¢max-age¤ÎºÇÂçÃͤˤĤ¤¤Æ°Ê²¼¤Î¤è¤¦¤Ëµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢ ¡Ö60Æü¤¬¥Ð¥é¥ó¥¹¤Î¼è¤ì¤¿Ãͤ«¤â¤Í¡×¤È¸À¤Ã¤Æ¤¤¤Þ¤¹¡£

    RFC 7469 4.1. Maximum max-age ¤è¤ê
    However, a value on the order of 60 days (5,184,000 seconds) may be considered a balance between the two competing security concerns.
    ¤¿¤À¡¢5¾Ï¤ÎScott Helme»á¤ÎHPKPÂбþ¥É¥á¥¤¥ó¥ê¥¹¥È¤Ë´ð¤Å¤¤¤¿»ä¤ÎÄ´ºº¤Ç¤Ï¡¢ ¤Þ¤È¤â¤Ê±¿ÍѤò¤·¤Æ¤¤¤ëÀßÄê¤ÎÃæ¤Ç¤Ï¡¢ 30Æü¤¬26%¡¢¼¡¤¤¤Ç60Æü¤¬19%¤È¿¤¤¤Ç¤¹¡£

    max-age¤ÎÃͤ¬Ä¹¤¹¤®¤ë¤È¡¢

    • ÀßÄê¥ß¥¹¤Ë¤è¤ë¾ã³²È¯À¸»þ¤ËĹ´ü´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¤¬½Ð¤Æ¤·¤Þ¤¦
    • Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Íפʾì¹ç¡¢¼Â¼ÁŪ¤Ê¾ÚÌÀ½ñÍ­¸ú´ü´Ö¤¬Ìܸº¤ê¤·¤Æ±¿ÍÑ¥³¥¹¥È¤Ë±Æ¶Á¤¹¤ë
    ¤È¤¤¤¦¥ê¥¹¥¯¤Ë¤Ä¤¤¤Æ¡¢4.2Àá¤ÇÀâÌÀ¤µ¤»¤Æ夭¤Þ¤·¤¿¤¬¡¢ µÕ¤Ë¡¢max-age¤¬Ã»¤¹¤®¤ë¤È¤É¤¦¤Ê¤ë¤Î¤Ç¤·¤ç¤¦¤«¡©

    ´Êñ¤Ë¤Ï¡¢¥Ë¥»¤ÎHTTPS¥µ¥¤¥È¤Ë¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤¯¤Ê¤ë¤È¤¤¤¦»ö¤«¤È»×¤¤¤Þ¤¹¡£ ËÜʪ¥µ¥¤¥È¤Îmax-age¤¬Ã»¤¯¤Æ¡¢Í­¸ú´ü¸Â¤¬Àڤ줿¥¿¥¤¥ß¥ó¥°¤Ç¡¢¥É¥á¥¤¥ó¾è¼è¤êÅù¤ÎÈï³²¤Ë¤¢¤Ã¤Æ µ¶¥µ¥¤¥È¤¬ºî¤é¤ì¡¢¤½¤³¤Ç1ǯÅùŤ¤max-age¤ÎHPKP¥Ø¥Ã¥ÀÂбþ¤Î¥Ë¥»¥µ¥¤¥È¤¬ºî¤é¤ì¤¿¤È¤¹¤ë¤È¡¢ °ìÅÙ¤½¤Î¤è¤¦¤Ë¤Ê¤ì¤Ð¡¢ÅöÌÌ1ǯ´Ö¤Ï¡¢¥Ë¥»¥µ¥¤¥È¤Ë¤·¤«·Ò¤²¤Ê¤¤¤è¤¦¤Ê¥æ¡¼¥¶¤¬È¯À¸¤¹¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    hpkp-maxage
    max-age¤¬Ã»¤¤¤È¡¢¤½¤ì¤À¤±¹¶·â¤Î¥Á¥ã¥ó¥¹¤ÏÁý¤¨¤ë¤¿¤á¡¢max-age¤Ï¤¢¤ëÄøÅÙŤ¯¤·¤Æ¤ª¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

    ÍÍ¡¹¤Ê¾ðÊ󥽡¼¥¹¤«¤é¡¢ ¥Ë¥»¥µ¥¤¥È¤òºî¤é¤ì¤Æ¤¤¤¿¤Èµ¤¤Å¤¯¤Þ¤Ç¤Ë¡¢¤½¤ì¤Û¤É»þ´Ö¤Ï¤«¤«¤é¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£ ¿ôÆü¤«¤é1½µ´Ö¤â¤¢¤ì¤ÐÌäÂê¤Ëµ¤¤Å¤¯¤È»×¤¤¤Þ¤¹¡£ Ⱦ·î¤ä1¥ö·î¤âµ¤¤Å¤«¤Ê¤¤¤Þ¤Þ¤¤¤ë»ö¤Ï¤Ê¤¤¤Ç¤·¤ç¤¦¡£ ¡Ö¥Ë¥»HTTPS¥µ¥¤¥ÈÌäÂê¤Ëµ¤¤Å¤¯¤Þ¤Ç¤ËÃÙ¤¯¤È¤â¤É¤ì¤¯¤é¤¤¤«¤«¤ë¤«¡×¤Ë¤è¤Ã¤Æ max-age¤ÎºÇ¾®Ãͤò·è¤á¤ë¤Î¤¬¤è¤¤¤È»×¤¤¤Þ¤¹¡£

    ½¾¤Ã¤Æ¡¢¹¶·â¤È²ÄÍÑÀ­¤Î¥ê¥¹¥¯¤Î¥È¥ì¡¼¥É¥ª¥Õ¤Ç¡¢»ä¤Ïmax-age¤ò15Æü¤«30ÆüÄøÅÙ¤Ë ÀßÄꤹ¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«

    2016ǯ3·î¤ÎNetcraft¼Ò¤ÎSSLÍøÍÑÄ´ºº¤Ë¤è¤ì¤Ð¡¢À¤³¦¤Ç¤ï¤º¤«0.09%¤Î4100¥µ¥¤¥È°Ê²¼¤°¤é¤¤¤·¤«¡¢HPKP¤òÀßÄꤷ¤Æ¤ª¤é¤º¡¢ÀßÄê¤Î¸í¤ê¤â¿¤¤¤½¤¦¤Ç¡¢Àµ¤·¤¯ÀßÄê¤Ç¤­¤Æ¤¤¤ë¤Î¤Ï¡¢¤½¤Î¤¦¤Á3000¥µ¥¤¥ÈÄøÅ٤ʤΤÀ¤½¤¦¤Ç¤¹¡£

    ¤Þ¤¿¡¢CSP(Content Security Policy)¤äHPKP¤Ë¾Ü¤·¤¯¡¢HPKP¤Î¸¡¾Ú¤ä¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È¤ò±¿±Ä¤·¤Æ¤¤¤ëScott Helme»á¤Î¥Ö¥í¥°¤Ë¤è¤ì¤Ð¡¢Alexa¾å°Ì100Ëü¤Î¥µ¥¤¥È¤Î¤¦¤ÁHPKP¤òÀßÄꤷ¤Æ¤¤¤ë¤Î¤Ï¡¢¤ï¤º¤«375¥µ¥¤¥È¤Ç¤¢¤Ã¤¿¤È¤¤¤¦Êó¹ð¤â¤¢¤ê¤Þ¤¹¡£

    Scott Helme»á¤Ï¡¢Ä´ºº¤ÎºÝ¤Î¥Ç¡¼¥¿¤â¸ø³«¤·¤Æ¤ª¤ê¡¢2016ǯ8·î»þÅÀ¤Ç¤ÎHPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó̾¥ê¥¹¥È448·ï¤¬¤¢¤Ã¤¿¤Î¤Ç¡¢¤½¤ì¤ò¥Ù¡¼¥¹¤Ë2017ǯ2·î¸½ºß¤Ç¤âHPKP¥Ø¥Ã¥À¤òÊÖ¤¹¥µ¥¤¥È283·ï¤ËÂФ·¤Æ¾¯¤·Ä´ºº¤·¤Æ¤ß¤Þ¤·¤¿¡£

    hpkp-graph1
    ¤Þ¤º¡¢HPKP¥Ø¥Ã¥À¤È¤·¤ÆÀµ¤·¤¤¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¡¢¤Þ¤¿¡¢»ÅÍ;åPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä°Ê¾åɬÍפǤ¹¤¬¡¢2¤Ä°Ê¾å¤¢¤ë¤«¤È¤¤¤¦´ÑÅÀ¤Ç¡¢¥Ø¥Ã¥À¤¬¤É¤ÎÄøÅÙÀµ¤·¤¤¤«¤òÄ´¤Ù¤Þ¤·¤¿¡£16%¤ÏÀßÄ꤬Àµ¤·¤¯¤Ê¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£´Ö°ã¤Ã¤Æ¤¤¤ë¤â¤Î¤ÎÃæ¤Ë¤Ï¡¢pin-sha256°À­¤¬Ìµ¤¤¡¢pin-sha256¤ÎÃͤ¬ÉÔŬÀÚ¡¢pin-sha256°À­¤¬°ì¤Ä¤·¤«¤Ê¤¤¡¢¤Ê¤ÉÍÍ¡¹¤Ç¤¹¡£Î㤨¤Ð¤³¤ó¤Ê¤â¤Î¤¬¤¢¤ê¤Þ¤·¤¿¡£
    • ...
    • pin-sha256="base64+info1="; max-age=3
    hpkp-graph2
    ¼¡¤Ë¡¢HPKP¥Ø¥Ã¥À¤ÎPIN¤Î¥Ï¥Ã¥·¥åÃͤθĿô¤Ç¤¹¡£°ìÈ̤ˤÏPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä¤Ç½½Ê¬¤Ç¡¢2¤Ä¤È¤Ê¤Ã¤Æ¤¤¤ë¥µ¥¤¥È¤¬Â¿¤¯Àê¤á¤Þ¤¹¤¬¡¢1¸Ä¤·¤«¤Ê¤¤¸í¤Ã¤¿¥µ¥¤¥È¤ä¡¢3¤Ä°Ê¾å¤òÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£15¸ÄÀßÄꤷ¤Æ¤¤¤ë¤È¤¤¤¦ÌԼԤ⤢¤ê¤Þ¤·¤¿¡£
    hpkp-graph3
    HPKP¤ÇÍ­¸ú¤Ê¸ø³«¸°¥Ï¥Ã¥·¥å¤ÎÊݸ´ü´Ö¤òÄê¤á¤Æ¤¤¤ë¤Î¤¬¡¢max-age¤ÎÃͤǤ¹¡£RFC¤Ç¤Ï¡¢60Æü¤ò¿ä¾©¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¼ÂºÝ¤Ë¤Ï30Æü¤òÀßÄꤹ¤ë¥µ¥¤¥È¤¬Â¿¤¤¤È¤ï¤«¤ê¤Þ¤¹¡£¤Þ¤¿¡¢¥Æ¥¹¥ÈÃæ¤Ê¤Î¤«1Æü°Ê²¼¤Ë¤·¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£Ã»¤¤¤È¥µ¥¤¥È¤ò¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤Þ¤ê¤Þ¤¹¤·¡¢Ä¹¤¹¤®¤ë¤ÈÀßÄê¤Ë¼ºÇÔ¤·¤¿¾ì¹ç¤½¤Î´ü´ÖÀܳÉÔǽ¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£1ǯ¤Ê¤É¤ÈÀßÄꤹ¤ë¤È¡¢ÀßÄ꼺ÇÔ¤·¤Æ¤¤¤¿¤é1ǯ´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¡¼¤¬½Ð¤Æ¥¯¥ì¡¼¥à³Î¼Â¤Ê¤Î¤Ë¶²¤í¤·¤¤¤Ç¤¹¤Í¡£
    hpkp-graph4
    report-uri¤òÀßÄꤹ¤ë¤È¡¢Âбþ¥Ö¥é¥¦¥¶¤Ê¤é¤Ð¡¢HPKP¤Î¥¨¥é¡¼¤ÎºÝ¤Ë»ØÄꤷ¤¿URL¤Ë¥ì¥Ý¡¼¥È¤òÁ÷¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£Jxck¤µ¤ó¤Î¥µ¥¤¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¤¬¡¢¤Þ¤À¤Þ¤ÀÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤Ï¾¯¤Ê¤½¤¦¤Ç¤¹¡£
    hpkp-graph5
    HPKP¥Ø¥Ã¥À¤ÎÃͤˤϡ¢includeSubDomain¤È¤¤¤¦¥×¥í¥Ñ¥Æ¥£¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤³¤ì¤ò¤Ä¤±¤ë¤Èexample.com¤ËHPKP¤òÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢sub1.example.com¥É¥á¥¤¥ó¤ËÂФ·¤Æ¤âŬÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    hpkp-graph6
    HPKP¥Ø¥Ã¥À¤È¤·¤Æ¡¢Ä̾ï¤Ï"Public-Key-Pins"¤ò»È¤¤¤Þ¤¹¤¬¡¢"Public-Key-Pins-Report-Only"¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÏHPKP¤ò¸¡¾Ú¤»¤º¤Ë¡¢¥¨¥é¡¼¤È¤Ê¤Ã¤Æ¤âHTTPSÀܳ¤Ï³¤±¤é¤ì¤ë¥Æ¥¹¥ÈÍѤε¡Ç½¤¬¤¢¤ê¤Þ¤¹¡£Ìó10%¤Î¥µ¥¤¥È¤¬¤³¤Î¥Æ¥¹¥ÈÍѤÎÀßÄê¤ò»È¤Ã¤Æ¤¤¤ë¤È¤ï¤«¤ê¤Þ¤¹¡£
    hpkp-graph7
    Scott Helme»á¤Î2017ǯ»þÅÀ¤ÇÀܳ²Äǽ¤ÊHPKPÂбþ¥µ¥¤¥È283·ï¤Î¤¦¤ÁgTLD(com¡¢orgÅù)¡¢ccTLD(de¡¢ru¡¢jpÅù)Ê̤˷ï¿ô¤òÄ´¤Ù¤Æ¤ß¤ë¤È¡¢com¤¬Â¿¤¤¤Î¤ÏÅöÁ³¤Ç¤È¤·¤Æ¡¢¼ÂºÝ¤Î³ÆTLD¤ÎÅÐÏ¿·ï¿ô¤ËÈæ³Ó¤·¤Æ¸²Ãø¤Ë¿¤¤TLD¤¬¸«¤é¤ì¤Þ¤·¤¿¡£com¤Ï1.3²¯¡¢net¤Ède¤Ï1600Ëü¡¢ru¤Ï540Ëü¥É¥á¥¤¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥É¥á¥¤¥óÅÐÏ¿¿ô¤ËÈæ¤Ù¤Æ¡¢ÈæΨŪ¤Ëru¡¢org¡¢de¤ÏÆͽФ·¤Æ¿¤¯¤Þ¤¿¡¢¥°¥é¥Õ¾å¤Ï¤½¤Î¾¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¥Þ¥¤¥Ê¡¼¤ÊccTLD¤Î¹ñ¤Ë¤Ä¤¤¤Æ¤â¡¢Èæ³ÓŪHPKPÀßÄ꤬¿¤¤¹ñ¤¬¤¢¤ê¤Þ¤¹¡£¤Þ¤¿¡¢edu¤¬°Û¾ï¤Ë¾¯¤Ê¤¤¤Î¤âµ¤¤Ë¤Ê¤ê¤Þ¤·¤¿¡£¤½¤Î¾¤Ë¤Ï¡¢ar/br/cl/il/pt/nl/tn/sk¤Ê¤É¡¢¥Þ¥¤¥Ê¡¼¤Ê¤â¤Î¤¬ 50¶á¤¯¤¢¤ê¤Þ¤·¤¿¡£

    6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«

    hpkp¤ÎȯÁÛ¼«ÂΤϡ¢ÉÔÀµÈ¯¹Ô¤µ¤ì¤¿¾ÚÌÀ½ñ¤ò»È¤Ã¤¿µ¶¥µ¥¤¥È¤òËɤ°¤¿¤á¤Î»ÅÁȤߤȤ·¤ÆÍ­ÍѤǤ¢¤ê¡¢Chrome¤äFirefox¤Î¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥È¥Ô¥ó¤Ï ¤¦¤Þ¤¯µ¡Ç½¤·¤Æ¤¤¤ë¤è¤¦¤Ë»×¤¨¤Þ¤¹¡£ ¤½¤Î°ìÊý¤ÇHPKP¥Ø¥Ã¥À¤ò»È¤Ã¤¿Êý¼°¤Ï¡¢ ¤«¤Ê¤ê±¿ÍѤ¬Ê£»¨¤ÇÆñ¤·¤¯¡¢¼ºÇÔ¤¹¤ë¤È 2¥ö·î¤È¤¤¤Ã¤¿¡¢Ä¹´ü´Ö¡¢°ìÉô¤Î¥æ¡¼¥¶¤ÏÀܳ¤Ç¤­¤Ê¤¤¤È¤¤¤¦¡¢¾ã³²¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤â¹â¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£

    ¸Ä¿Í¤äÃæ¾®¤Î¥µ¥¤¥È¤ÇÉÔÀµ¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤Þ¤Çµ¶¥µ¥¤¥È¤òºî¤ë¥á¥ê¥Ã¥È¤Ï¸«Åö¤¿¤é¤º¡¢¹¶·â¤ò¼õ¤±¤ë²ÄǽÀ­¤â¶Ë¤á¤ÆÄ㤤¤¿¤á¡¢HPKP¤ò»È¤Ã¤Æ¥µ¡¼¥Ó¥¹¾ã³²¤Î¥ê¥¹¥¯¤ò¼è¤Ã¤Æ¤Þ¤ÇHPKP¤òƳÆþ¤¹¤ëɬÍפϤʤ¤¤È»×¤¤¤Þ¤¹¡£

    ¤Ç¤Ï¡¢°ìÈÌ¥µ¥¤¥È¸þ¤±¤ËHPKP¤ÎÉáµÚ¤¬¿Ê¤à¤¿¤á¤Ë¤Ï¡¢±¿ÍѤΤ·¤ä¤¹¤¤¥µ¡¼¥Ó¥¹¾ã³²¤¬µ¯¤­¤Ë¤¯¤¤»ÅÍͤÎÊѹ¹¤¬É¬ÍפÀ¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤¦¤¹¤ì¤Ð¤³¤ì¤¬²Äǽ¤Ë¤Ê¤ë¤Ç¤·¤ç¤¦¤«¡©

    max-age¤ò2¥ö·î¤È²¾Äꤷ¤Æ¡¢ HPKP¥Ø¥Ã¥À¤Ç±¿ÍѾå¤Î²ÝÂê¤Ê¤Î¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤Î2¥ö·îÁ°¤Ë¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤Ê¤éÀßÄê¤ò»öÁ°ÀßÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤Æ¥Ø¥Ã¥ÀÀßÄê¤òľ¤·¤Æ¤â¡¢2¥ö·î¤ÏÄÌ¿®¾ã³²¤¬È¯À¸¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£

    ¤½¤³¤Ç¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤¿»þ¤Ë¤Ï¡¢¤¹¤°¤ËÀßÄêÊѹ¹¤¬È¿±Ç¤Ç¤­¤¿¤ê¡¢¥µ¡¼¥Ð¡¼Â¦¤Ç»ÃÄêŪ¤Ë¥Ö¥é¥¦¥¶¤ÎHPKP¸¡¾Ú¤ò̵¸ú²½¤Ç¤­¤ë¥­¥ë¥¹¥¤¥Ã¥Á¤¬¤¢¤ë¤È¤è¤¤¤È»×¤¦¤Î¤Ç¤¹¡£¿¼¤¯¹Í»¡¤·¤¿Ìõ¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¤¬¡¢Î㤨¤Ð¡¢HPKP¹¹¿·Æü¤ò¥Ø¥Ã¥À¤Ëµ­ºÜ¤¹¤ë¤Ê¤É¤·¤Æ¡¢ÀßÄê¤Ë¹¹¿·¤¬¤¢¤ì¤Ðmax-age¤Ë´Ø¤ï¤é¤º¹¹¿·¤·¡¢Ìµ¸ú²½¤¹¤ë¤Ê¤é¡¢Ìµ¸ú²½¤¹¤ë¤È¤¤¤Ã¤¿µ¡Ç½¤òÄ󶡤¹¤ì¤Ð¡¢±¿ÍѤÏmax-age¤äÀßÄê¥ß¥¹¤Î¼öÇû¤«¤é²òÊü¤µ¤ì¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ¾¤Ë¤â¤³¤ÎÌäÂê¤Î²ò·èÊýË¡¤Ï¤¢¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢²¿¤é¤«¤Î¼êÅö¤Æ¤ò¤·¤Ê¤¤¸Â¤ê¡¢HPKP¤ÏÉáµÚ¤·¤½¤¦¤Ë¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    7. ¤ª¤ï¤ê¤Ë

    °Ê¾å¡¢HPKP¤Ë¤Ä¤¤¤Æ¡¢¤É¤³¤Ë¥Ô¥ó¤òÂǤĤ«¡¢max-age¤Ï¤É¤¦¤¹¤ë¤«¤Ê¤É±¿ÍÑÌ̤«¤é¡¢ ¤¤¤í¤¤¤í¹Í»¡¤äÀ°Íý¤ò¤·¤Æ¤ß¤Þ¤·¤¿¡£ ¸½»þÅÀ¤Ç¤Ï¡¢HPKP¤òƳÆþ¤¹¤ë¤Î¤Ï»þ´ü¾°Áá¤Ç¡¢ ±¿ÍѤËÉéô¤ò¤«¤±¡¢¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤â¹â¤¤¤È¤¤¤¦¤³¤È¤â ¤´Íý²ò¤¤¤¿¤À¤±¤¿¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ¤³¤ì¤Ç¡¢¼«Ê¬¤¬HPKP¤Ë¤Ä¤¤¤ÆÁ°¤«¤é½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤³¤È¤ò¡¢ Íî¤ÁÃ夤¤ÆÀ°Íý¤Ç¤­¡¢3ǯ±Û¤·¤°¤é¤¤¤ËÅǤ­½Ð¤»¤Þ¤·¤¿¡£ ¤ï¤«¤ê¤Ë¤¯¤«¤Ã¤¿¤ê¡¢Íý²ò¤¬´Ö°ã¤Ã¤Æ¤¤¤¿¤é¤¹¤ß¤Þ¤»¤ó¡£ ¸Ä¿ÍŪ¤Ë¤Ï¡¢HPKP¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤³¤ì¤Ç¤ï¤À¤«¤Þ¤ê¤È¤«¥â¥ä¥â¥ä´¶¤È¤¤¤¦¤Ï³µ¤Í ʧ¿¡¤µ¤ì¤¿¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ ¤Þ¤¡¡¢¡Ö¥Ö¥í¥°¤Ê¤ó¤Æ¤½¤ó¤Ê¥â¥Î¤è¤Í¡×¤Ã¤Æ¤³¤È¤Ç¡¢¡¢¡¢£÷

    8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯

    Netcraft: Secure websites shun HTTP Public Key Pinning
    HPKP¤¬Î®¹Ô¤Ã¤Æ¤¤¤Ê¤¤¤³¤È¤ÎÅý·×¡£¤Ê¤¼Î®¹Ô¤é¤Ê¤¤¤«¤Î²òÀâ¡£Îɵ­»ö¡£
    Netcraft: HTTP Public Key Pinning: You're doing it wrong!
    Netcraft¼Ò¤Î¡¢À¤¤ÎÃæ¤ÎHPKPÂбþ¥µ¥¤¥È¤ÎÀßÄê¸í¤ê¤Ë´Ø¤¹¤ë²òÀâ¡£Îɵ­»ö¡£
    Scott Helme¤µ¤ó¤ÎHPKP¥Ö¥í¥°µ­»ö
    CSP¤äHSTS¤äHPKP¤Ê¤ÉSSL´ØÏ¢µ»½Ñ¤ÎÀìÌç²È¤Ç¡¢HPKP¤Ê¤É¤Î¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È report-uri.io ¤ò ±¿±Ä¤·¤Æ¤¤¤ëScott Helme¤µ¤ó¤Î¥Ö¥í¥°¡£HPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó¥ê¥¹¥È¤Ê¤É¤Î¥Ç¡¼¥¿¤â¤¢¤ê¤Þ¤¹¡£
    Qualys Blog: Is HTTP Public Key Pinning Dead?
    Ivan Ristic»á¤Î¡¢¡ÖHPKP¤¬½ª¤ï¤Ã¤Æ¤¤¤ë¤«¡©¡×¤Ë´Ø¤¹¤ëµÄÏÀ¡£
    Raymii.org: HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd
    ²òÀâ¤Ï½¼¼Â¡£³Æ¥µ¡¼¥Ð¡¼Ëè¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄêÎã¡£
    MDN: Public Key Pinning
    Mozilla¤Ë¤è¤ëHPKP²òÀâ¡£Chrome¤äFirefox¤Ç¤ÎHPKPÂбþ¥Ð¡¼¥¸¥ç¥ó¤Îµ­½Ò¡£¥µ¡¼¥Ð¡¼ÀßÄêÎã ¥ì¥Ý¡¼¥Èµ¡Ç½¤Ï¿·¤·¤¤Chrome¤·¤«»È¤¨¤Ê¤¤»ö¤Î¸ÀµÚ¤Ê¤É¡¢»²¹Í¤Ë¤Ê¤ë¡£
    Public Key Pinning¤Ë¤Ä¤¤¤Æ - Chris Palmer (¸¶Ê¸)
    Chris Palmer¤Ë¤è¤ëHPKP²òÀâ¡£¸í²ò¤â¤¢¤ë¤¬¡¢½é¤á¤Æ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¡¢¤½¤Î¥±¡¼¥¹Ê¬¤±¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤¿µ­»ö¡£
    ¤Ü¤Á¤Ü¤ÁÆüµ­¡§ÉÔÀµ¤ÊSSL¾ÚÌÀ½ñ¤ò¸«ÇˤëPublic Key Pinning¤ò»î¤¹
    jovi¤µ¤ó¤Ë¤è¤ëHPKP(¥É¥é¥Õ¥È)¤Ë´Ø¤¹¤ë¾ÜºÙ¤«¤Ä¹­ÈϤʲòÀâ¤Ç¤¹¡£
    Jxck¤µ¤ó¤Î¥Ö¥í¥°¡§Public Key Pinning for HTTP(HPKP) Âбþ¤È report-uri.io ¤Ç¤Î¥ì¥Ý¡¼¥È¼ý½¸
    Jxck¤µ¤ó¤Î²òÀâ¡£ÆäËreport-uri¤Îµ¡Ç½¤ò»î¤·¤Æ¤ß¤¿Êó¹ð¤¬µ®½Å¡£
    ¸ø³«¸°¥Ô¥ó¥Ë¥ó¥°¤Ë¤è¤ë¥æ¡¼¥¶ÄÉÀ× HPKP Supercookies
    º£²ó¤Îµ­»ö¤È¤Ï¤¢¤Þ¤ê´Ø·¸¤Ê¤¤¤Ç¤¹¤¬¡¢ ¤Ë¤·¤à¤Í¤¢¤µ¤ó¤ÎHPKP¤ò»È¤Ã¤¿¥¯¥Ã¥­¡¼¤ò»È¤ï¤Ê¤¤¥æ¡¼¥¶¡¼ÆÃÄê¤ÎÌÌÇò¤¤»î¤ß¤Ë´Ø¤¹¤ë¥¹¥é¥¤¥É»ñÎÁ¡£
    OWASP: Certificate and Public Key Pinning
    OWASP¤Î²òÀâµ­»ö¡£ÌµÂ̤ʾðÊó¤â¿¤¤¡£

    9. Äɵ­

    9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·

    caniuse.com¥µ¥¤¥È¤Ç¤ÏÍÍ¡¹¤Ê¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Î¥µ¥Ý¡¼¥È¾õ¶·¤ò¾ðÊóÄ󶡤·¤Æ¤¤¤Þ¤¹¤¬¡¢ 2017ǯ2·î»þÅÀ¤Ç¤Î HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·¤Ë¤Ä¤¤¤Æ¤â µ­ºÜ¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¼¨¤·¤Æ¤ª¤­¤Þ¤¹¡£Firefox¡¢Chrome¡¢Opera¡¢AndroidÈÇChrome¤Ç¤Ï ¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ì°Ê³°¤Ç¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
    hpkp-caniuse

    9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

    ¤½¤Î¸å¡¢HPKP¤Ë¤Ä¤¤¤Æ·Ñ³¤·¤ÆÄ´¤Ùʪ¤ò¤·¤Æ¤¤¤¿¤é¡¢ smashingmagazine.com¤Î¥Ö¥í¥°¤Ç¡¢ HPKP¤Ë¤è¤êȯÀ¸¤·¤¿Àܳ¾ã³²¤Ë¤Ä¤¤¤Æ¤Î¹Í»¡¤¬½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£ ¤³¤³¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£

    • HPKP¤ÏÃæ´Ö¼Ô¹¶·â¤ËÂФ·¤ÆÍ­¸ú¤Êµ¡Ç½¤À¤¬
    • HPKP¤ÎÀßÄê¥ß¥¹¤Ç2016ǯ10·î21Æü¤«¤é25Æü¤Ë¤«¤±HTTPSÀܳ¾ã³²¤¬È¯À¸
    • ¾ÚÌÀ½ñ´ü¸ÂÀÚ¤ì¤ÇHPKP¥Ø¥Ã¥À¤ò¹¹¿·¤·¤¿¤é¥¨¥é¡¼¤Ë¤Ê¤Ã¤¿
    • ¤¹¤Ç¤Ë¾ÚÌÀ½ñ¤Ï´ü¸ÂÀÚ¤ì¤Ç¥í¡¼¥ë¥Ð¥Ã¥¯¤Ï¤Ç¤­¤Ê¤¤
    ¶µ·±¤È¤·¤Æ¡¢¥Ö¥í¥°¤Ç¤Ï¡¢
    • ¶âÍ»¥µ¥¤¥È¤Ê¤É¤Ê¤é¤Ð¡¢HPKP¤ò»È¤¦²ÁÃͤϤ¢¤ë¤¬¡¢Ã±¤Ê¤ë¾ðÊóÄ󶡥µ¥¤¥È ¤Ê¤é¡¢¤½¤ÎɬÍפâ¤Ê¤¤¡£HPKPÀßÄê¥ß¥¹¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Ï¡¢Ãæ´Ö¼Ô¹¶·â¤è¤ê¤âÂ礭¤Ê¶¼°Ò¤À
    • max-age¤òû¤¯¤¹¤ë¤³¤È¤Ë¤è¤êÌäÂê¤ò´ËϤǤ­¤ë
    »ä¤â¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤ÎÊý¤¬¡¢Â礭¤ÊÌäÂê¤À¤È¤¤¤¦¤Î¤ÏƱ°Õ¤Ç¤¹¤¬¡¢ Á°¤Ë¤â½Ò¤Ù¤¿Ä̤ꡢmax-age¤òû¤¹¤®¤ëÃͤËÀßÄꤹ¤ë¤Î¤Ï·üÌ¿¤Ç¤Ï¤Ê¤¯¡¢Ãí°Õ¤¬É¬ÍפǤ¹¡£ ¤³¤Î¥µ¥¤¥È¤Ç¤Ï¡¢max-age¤ò1ǯ¤È¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢³Î¤«¤Ë¤³¤ì¤ÏŤ¹¤®¤Þ¤¹¡£ ¿·¤·¤¯ÀßÄꤵ¤ì¤¿HPKP¥Ø¥Ã¥À¤ò¸«¤Æ¤ß¤Þ¤·¤¿¤¬¡¢¸½¹Ô¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¾¤Ë 3¤Ä¥Ô¥ó¤¬ÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢max-age¤Ï1Æü¤ËÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢¤¤¤í¤¤¤í¤ÈÀßÄê¤Ë¤ÏÌäÂ꤬¤¢¤ê¤½¤¦¤Ç¤¹¡£

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¤ß¤ëSSL/TLS¤Î°ú±Û¤·¤Ë¤Ä¤¤¤Æ

    2014ǯ11·îº¢¤«¤é¡¢SSL¤Ë´Ø¤¹¤ëÅý·×¾ðÊó¤ò¸ø³«¤·¤Æ¤¤¤ë¥µ¥¤¥ÈSSL Pulse¤Î¥Ç¡¼¥¿¤«¤é¿ä°Ü¾ðÊó¤ò¥Ö¥í¥°¤Ç¸ø³«¤·¤Æ¤­¤Þ¤·¤¿¡£³Ö·î¤Ç¹¹¿·¤¹¤ë¤è¤¦¤Ê¤³¤È¤ò¸À¤Ã¤Æ¤Æ¡¢2015ǯ12·î¤«¤é¹¹¿·¤¬Ìµ¤¤¾õÂ֤ˤʤäƤª¤ê¡¢¡Ö¥³¥é¡Á¡Á¡ª¥µ¥Ü¤Ã¤Æ¤ó¤¸¤ã¤Í¡Á¡Á¡×Ū¤Ê¤³¤È¤ò»×¤ï¤ì¤¿¤«¤¿¤â¤¤¤é¤Ã¤·¤ã¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£¤¹¤ß¤Þ¤»¤ó¡£¤¹¤ß¤Þ¤»¤ó¡£¤¹¤ß¤Þ¤»¤ó¡£

    ¿·¤·¤¤¥µ¥¤¥È

    SSL Pulse Trends(SSL Pulse¥Ç¡¼¥¿¤Î¿ä°Ü) https://kjur.github.io/www/sslpulsetrend/index_j.html¤È¤¤¤¦¥µ¥¤¥È¤òºî¤ê¤Þ¤·¤¿¡£º£¸å¤ÎËè·î¤Î¹¹¿·¤Ï¤³¤Á¤é¤Ç¤ä¤Ã¤Æ¤¤¤­¤Þ¤¹¡£

    ¥µ¥¤¥È¤ò°Ü¹Ô¤·¤¿·Ð°Þ¤Ê¤É¡¢¡¢¡¢

    Á°¤Ï¡¢¥¨¥¯¥»¥ë¤Ê¤É¶î»È¤·¤Æ¥°¥é¥ÕÉÁ¤¤¤Æ¤¿¤ó¤Ç¤¹¤¬¡¢¤½¤ê¤ã¤â¤¦¡¢·ë¹½¼ê´Ö¤¬¤«¤Ã¤Æ¤¿¤ó¤Ç¤¹¤è¡£¼«Ê¬¤â¶½Ì£¤¬¤¢¤Ã¤ÆËè·î¤¹¤°ÃΤꤿ¤¤¤ó¤À¤±¤É¡¢¤È¤Æ¤â¡¢Ëè·î¤Ï¤Ç¤­¤Ê¤¤¤Ê¤È¡¢¡¢¡¢¤¶¤Ã¤¯¤ê¤È¤·¤¿Î®¤ì¤Ï¤³¤ó¤Ê´¶¤¸¡§

    • º£·î¤Î¥Ç¡¼¥¿¥Õ¥¡¥¤¥ë(JSON)¤òwget¤Ç¥À¥¦¥ó¥í¡¼¥É¤¹¤ë
    • ¥Ç¡¼¥¿¤Î¿ä°Ü¤òTSV·Á¼°¤Ë¤Ê¤ë¤è¤¦¤ËÊÑ´¹¤¹¤ë¥Ä¡¼¥ë¤ò¼Â¹Ô¤¹¤ë¡£¥°¥é¥Õ¤ËɬÍפʥǡ¼¥¿Îó¤â¤³¤Î»þºî¤ë¡£
    • TSV¥Õ¥¡¥¤¥ë¤òUTF-16¤Ë¤¹¤ë(Mac ExcelÂкö)
    • Excel¤ÇÆɤ߹þ¤ß
    • ¥Ç¡¼¥¿¤òºÙ¤«¤¤À°·Á(ÆüÉÕ¥Õ¥©¡¼¥Þ¥Ã¥È¤äɽ¥Ø¥Ã¥À¤Ê¤É)
    • ɬÍפʥ°¥é¥Õ¤òºî¤ë
    • ¥°¥é¥Õ¤òEMF(³ÈÄ¥¥á¥¿¥Õ¥¡¥¤¥ë)¤Ç¥¨¥¯¥¹¥Ý¡¼¥È¤¹¤ë
    • PowerPoint¤Ë¿á¤­½Ð¤·Åù¤òŽ¤êÉÕ¤±(°ÌÃÖÄ´À°)
    • PowerPoint¤Î²èÌ̤ò²èÁü¥­¥ã¥×¥Á¥ã¤·¡¢¥Ö¥í¥°¤Ø
    ¤Þ¤º¡¢Âè°ì¤Îµ´Ìç¤Ê¤ó¤Ç¤¹¤¬¡¢¼«Ê¬¤Ï¼«Âð¤Ç¤ÏMac Book Air¤ò»È¤Ã¤Æ¤Þ¤·¤Æ¡¢MacÍѤÎExcel(Á°¤Î2011¤âº£¤Î¤ä¤Ä¤â)¤Ï¡¢Ê¸»ú²½¤±¤·¤Ê¤¤¤è¤¦¤ËCSV¤äTSV¥Õ¥¡¥¤¥ë¤òÆɤ߹þ¤à¤Î¤¬¹ü¤¬ÀÞ¤ì¤ë¤ó¤Ç¤¹¤è¡£°ì±þ¥Õ¥¡¥¤¥ë¤ÎÆþÎϸõÊä¤È¤·¤Æ¤ÏÉáÄ̤ÎUTF-8¤Ç¤âÂç¾æÉפ½¤¦¤Ë¸«¤¨¤ë¤ó¤À¤±¤É¡¢¤¦¤Þ¤¯¤¤¤«¤º¡£·ë¶É¤¦¤Þ¤¯¤¤¤Ã¤¿¤Î¤Ï¥á¥âÄ¢¥¢¥×¥ê¤ÇUTF-16¤ËÊÑ´¹¤·¤Æ¤«¤éÆɤ߹þ¤Þ¤»¤ë¤È¤¤¤¦ÊýË¡¤Ç¤¹¡£Google¤È¤«¤Ç"Mac Excel TSV ʸ»ú²½¤±"¤ß¤¿¤¤¤Ê¥­¡¼¥ï¡¼¥É¤Ç¸¡º÷¤¹¤ì¤Ð¡¢ÊýË¡¤¬½Ð¤Æ¤¯¤ë¤Ç¤·¤ç¤¦¡£
    07

    ¤½¤·¤Æ¡¢°ì¤Ä°ì¤Ä¥°¥é¥Õ¤òºî¤Ã¤Æ¤¤¤¯¤ï¤±¤Ç¤¹¡£
    01
    ¤Ç¡¢Excel¤Î¥°¥é¥Õ¤ÎËÞÎã¤Ç¤Ï¤Á¤ç¤Ã¤È¸«¤Å¤é¤¤¤Î¤Ç¥Ñ¥ï¥Ý¤Ç¿á¤­½Ð¤·¤ò¤Ä¤±¤Þ¤¹¡£
    39
    ¤É¤¦¤Ç¤¹¡©·ë¹½ÌÌÅݤ¯¤µ¤½¤¦¤Ç¤·¤ç¤¦¡©

    ¤Ç¡¢¿·¤·¤¤¥µ¥¤¥È¤Ç¤Ï

    ¤È¤Ë¤«¤¯Excel¤Ç¥°¥é¥Õ¤ò¤Ä¤¯¤ë¤Î¤Ï¤ä¤á¤Ë¤·¤¿¤¯¡¢JavaScript¥Ù¡¼¥¹¤Ç¥°¥é¥Õ¤òÉÁ¤±¤Ê¤¤¤â¤ó¤«¤È¡¢Ä´¤Ù¤Æ¤ß¤Þ¤·¤¿¡£ºÇ½é¤Ï¡¢ccchart¤Ê¤ó¤«¤¬¥Ç¥¶¥¤¥ó¤âÎɤ¤¤«¤Ê¤¡¤È¹Í¤¨¤Æ¤¤¤¿¤ó¤Ç¤¹¤¬¡¢»×¤Ã¤Æ¤¤¤¿¥Ç¥¶¥¤¥ó¤Ë¤¹¤ë¤Î¤Ï¡¢»êÆñ¤Îµ»¤Ç¤¢¤ë¤ÈÃΤꡢD3.js¤È¤¤¤¦Í­Ì¾¤Ê¥é¥¤¥Ö¥é¥ê¤â¸«¤¿¤ó¤Ç¤¹¤¬¡¢°ì¤Ä¤Î¥Õ¥Ä¡¼¤Î¥°¥é¥Õ½ñ¤¯¤Î¤Ë¿¤¯¤Î¥³¡¼¥É¤ò½ñ¤«¤Í¤Ð¤Ê¤é¤ºÃÇÇ°¡£D3.js¤ò´Êñ¤Ë»È¤¦¤¿¤á¤Î¥é¥Ã¥Ñ¡¼¤¬¤¢¤ë¤½¤¦¤Ç¡¢¤½¤ì¤ò´ö¤Ä¤«¸«¤Æ¡¢rickshaw¤Ç²¿¤È¤«µö¤»¤ë¥°¥é¥Õ¤¬ÉÁ¤±¤¿¤Î¤Ç¤½¤ì¤ò»È¤¦¤³¤È¤Ë¤·¤Þ¤·¤¿¡£

    ËÜÅö¤Ï¡¢SSL Pulse¤ËÃÖ¤¤¤Æ¤¢¤ëJSON·Á¼°¤Î¥Ç¡¼¥¿¥Õ¥¡¥¤¥ë¤ò¤½¤Î¤Þ¤Þ¡¢É½¼¨¤ÎÅ٤˼è¤ê¹þ¤ó¤Ç²Ã¹©¤·¤Æ¤«¤é¥°¥é¥Õɽ¼¨¤·¤è¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢½ô¡¹CORS¤ÎÊɤËÁˤޤìÃÇÇ°¡£Æ°Åª¤Ë¥À¥¦¥ó¥í¡¼¥É¤¹¤ëɬÍפâ¤Ê¤¯¤Ê¤ê¡¢¥¹¥¿¥Æ¥£¥Ã¥¯¤Ê²òÀϥǡ¼¥¿¤òNode¤Çºî¤Ã¤Æ¡¢SOURCE¥¿¥°¤ÇÉáÄ̤˥ǡ¼¥¿¼è¤ê¹þ¤à¤³¤È¤Ë¤Ê¤ê¤Þ¤·¤¿¡£

    ¥Ö¥í¥°¤Ç¤¿¤Þ¤¿¤ÞSSL Pulse¤Ë¤Ä¤¤¤Æ½ñ¤¯¤À¤±¤Ê¤é¡¢ÆÃÊ̤ÊÃǤê¤ò¤¤¤ì¤Ê¤¯¤Æ¤â¤¤¤¤¤«¤È»×¤Ã¤¿¤ó¤Ç¤¹¤¬¡¢Äê¾ïŪ¤Ëº£¸å¤Ï±Ñ¸ì¤Ç¤â¥Ú¡¼¥¸¤ò¸ø³«¤¹¤ë¤È¤Ê¤ë¤È¡¢SSL Pulse¤Îºî¼Ô¤ÎIvan Risti椵¤ó¤Ë¿ÎµÁ¤È¤¤¤¦¤«³Îǧ¼è¤Ã¤È¤¤¤¿¤Û¤¦¤¬¤¤¤¤¤«¤Ê¤È»×¤¤¤Þ¤·¤¿¡£Ivan¤µ¤ó¤ÏSSL/TLS¤Îµ»½Ñ²òÀâ½ñ¤ÎÃæ¤Ç¤ÏºÇ¹â¤ËÎɤ¤¤È»×¤¦Bulletproof SSL and TLS¤ÎÃø¼Ô¤Ç¤¢¤ê¡¢SSL¤ÎÀßÄêɾ²Á¥µ¥¤¥È¤Ç¤¢¤ëssllabs¤Î³«È¯¤Ê¤É¤â¤·¤Æ¤¤¤Þ¤¹¡£

    Bulletproof SSL and TLS
    Ivan Ristic
    Lightning Source Inc
    2014-08

    ºÇ½é¤Ï¡¢Twitter¤ÎDM¤ÇÏ¢Íí¼è¤í¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢ÅöÁ³¤Ê¤¬¤é»ä¤Î¥Õ¥©¥í¡¼¤·¤Æ夤¤Æ¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¤Î¤ÇDM¤¬Á÷¤ì¤º¡¢¥á¡¼¥ë¥¢¥É¥ì¥¹¤â¤É¤³¤Ë¤âµ­ºÜ¤µ¤ì¤Æ¤¤¤Ê¤Î¤Ç¡¢Ï¢Íí¤¬¤Ä¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£¤½¤³¤Ç¡¢¤¤¤Ä¤âJavaScript¤Î°Å¹æ/PKI¥é¥¤¥Ö¥é¥ê¤Ç¤Ï¾ðÊó¸ò´¹¤Ê¤É¤µ¤»¤Æ夭ÂçÊѤªÀ¤ÏäˤʤäƤ¤¤ëRyan Hurst¤µ¤ó¤ËÍê¤ß¹þ¤ß¡¢Ï¢Íí¤È¤Ã¤Æ¤¯¤ì¤Ê¤¤¤«¤ÈÅÁ¤¨¤Þ¤·¤¿¡£Ryan¤µ¤ó¤Ï¡ÖKenji¤ò¾Ò²ð¤¹¤ë¤è¡£Èà¤Ï¡¢¤¹¤²¡¼JavaScript¤Î°Å¹æ/JWT/X.509¥é¥¤¥Ö¥é¥ê¤Îºî¼Ô¤À¡£¡×¤È»ä¤«¤é¤Î¤ª´ê¤¤»ö¹à¤Î¥á¡¼¥ë¤òžÁ÷¤·¤Æ¤¯¤ì¤Þ¤·¤¿¡£2Æü¤°¤é¤¤ÂԤäƤơ¢¡Ö¤¦¡Á¡Á¤ó¡×¤³¤ê¤ã¥ì¥¹Ìµ¤·¤«¤Ê¤¡¤È¤â»×¤Ã¤Æ¤¿¤ó¤Ç¤¹¤¬¡¢ÊÖ»ö¤¬Íè¤Þ¤·¤Æ¡ÖSSL Labs¤Ï¼«Í³¤Ê¥³¥ó¥Æ¥ó¥Ä¥é¥¤¥»¥ó¥¹¤Ë¤Ê¤Ã¤Æ¤Æ¡¢·¯¤Î¾ì¹ç¤Ç¤âÁ´¤¯ÌäÂê¤Ê¤¤¤È¤ï¤«¤ë¤È»×¤¦¤è¡£Æ±¤¸¤è¤¦¤Ê¤³¤È(=¥Ç¡¼¥¿¿ä°Ü¾ðÊó)¤ò¤ä¤ê¤¿¤¤¤È»×¤Ã¤Æ¤¿¤ó¤À¤±¤É¡¢»þ´Ö¤¬¤Ê¤¯¤Æ¤Í¡Á¡Á¡£¡×¤È¤Î»ö¤Ç¤·¤¿¡£¤è¤«¤Ã¤¿¡¢¤è¤«¤Ã¤¿¡£¤³¤ì¤Ç°Â¿´¤·¤ÆÄê¾ïŪ¤Ë¸ø³«¤Ç¤­¤½¤¦¤Ç¤¹¡£

    Rickshaw¤Î»È¤¤Êý¤Ï³µ¤Í¤³¤ó¤Ê´¶¤¸¤Ç¤¹¡£

    <div id="chart_container"><div id="grade_chart"></div></div> <script> var graph = new Rickshaw.Graph({ element: ¥°¥é¥Õ¤òÉÁ¤¯¥­¥ã¥ó¥Ð¥¹¤¬ÁÞÆþ¤µ¤ì¤ëDIV¤ÎDOM, width: ¥°¥é¥ÕÉý, height: ¥°¥é¥Õ¹â, renderer: ¥°¥é¥Õ·Á¼°(ËÀ¥°¥é¥Õ¤È¤«ÀÞ¤ìÀþ¥°¥é¥Õ¤È¤«), series: [{"color": ¥°¥é¥Õ¥Ç¡¼¥¿¿§, "name": ¥Ç¡¼¥¿Ì¾(TLS1.2¤È¤«SHA256withRSA¤È¤«¥Ç¡¼¥¿Ì¾), "data": [{x: ÃÍ, y: ÃÍ}, {x: ÃÍ, y: ÃÍ} ...]}, : (Ê£¿ô¤Î¥Ç¡¼¥¿¤¬¤¢¤ì¤Ð³¤¯) ] }); graph.render(); </script>
    Ʊ¤¸·Á¼°¤Î¥°¥é¥ÕÉÁ¤¯¤Î¤Ë¡¢Æ±¤¸¤è¤¦¤Ê¥³¡¼¥É½ñ¤¯¤Î¤âÌÌÅݤʤΤǡ¢¤µ¤é¤Ë¥é¥Ã¥Ñ¡¼¤òºî¤ê¤Þ¤·¤¿¡£
    RickshawUtilGraph(¥°¥é¥ÕÉÁ¤¯DOM ID¤Î¶¦Ḁ̈إåÉ(¥°¥é¥Õ¤äËÞÎã¡¢XY¼´¤Ê¤É), ¥°¥é¥Õ¤Î¶¦Ḁ̈ƥó¥×¥ì¡¼¥È, ¥Ç¡¼¥¿(¥°¥é¥Õ¥Ç¡¼¥¿¡¢¥Ç¡¼¥¿Ì¾) [,¥ª¥×¥·¥ç¥ó¤Ç¥°¥é¥Õ·Á¼°¤òÊѤ¨¤¿¤¤¾ì¹ç¤Î¥Ñ¥é¥á¡¼¥¿] [,¥ª¥×¥·¥ç¥ó¤Ç¥°¥é¥Õ¿§ÊѤ¨¤¿¤¤¾ì¹ç¤Î¥Ñ¥é¥á¡¼¥¿]);
    ¤³¤ì¤Ç¤è¤¦¤ä¤¯¡¢SSL Pulse¤Î¹¹¿·¤¬¤¢¤Ã¤Æ¤â¡¢make °ìȯ¤Ç¥°¥é¥Õ¥Ç¡¼¥¿¤òºî¤ì¤ë¤Î¤Ç¡¢Ëè·î¤Î¹¹¿·¤âÉéô¤Ë¤Ê¤é¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£

    ¤È¤¤¤¦¤ï¤±¤Ç¡¢¤Þ¤ÀÁǤõ¤¤Ê¤¤¥Ú¡¼¥¸¤Ç¤¹¤¬ÆüËܸì¥Ú¡¼¥¸¸ø³«¤Ë¤³¤®¤Ä¤±¤Þ¤·¤¿¡£º£¤Þ¤Ç¤Ê¤«¤Ã¤¿É¾²Á¥°¥ì¡¼¥É(A-F)¤ÎʬÉÛ¿ä°Ü¤Î¥°¥é¥Õ¤ÏNPN¤ÎHTTP/2¥µ¥Ý¡¼¥È¥×¥í¥È¥³¥ë¤Î¿ä°Ü¤Î¥°¥é¥Õ¤âÉÕ¤±²Ã¤ï¤Ã¤Æ¤¤¤Þ¤¹¡£
    42
    ¤·¤Ð¤é¤¯¤·¤¿¤é±Ñ¸ì¥Ú¡¼¥¸¤ÎºîÀ®¤Ë¤È¤ê¤«¤«¤ê¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    º£¸å¤È¤â¡¢¤è¤í¤·¤¯¤ª´ê¤¤¤·¤Þ¤¹¡£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ12·îÈÇ)

    ¤¤¤ä¤¡¡¢Ç¯¤ÎÀ¥¤Ç¤¹¤Í¤§¡£ºÇ¶á¡¢SSL/TLS´ØÏ¢¤ÎÄ´ºº¤ËÁ´¤¯»þ´Ö¤¬¼è¤ì¤Æ¤Ê¤¤¤Ã¤¹¡£ SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 10·î¤Ë°ú¤­Â³¤­2015ǯ12·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤¬Áᤫ¤Ã¤¿¤Ã¤Ý¤¤¤Ç¤¹¤¬¡¢µ¤¤Å¤¯¤Î¤ËÃÙ¤ì¤Þ¤·¤¿¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201512-a1vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201512-a2proto

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201512-a3crt

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201512-a4adv
    SPDY¤¬²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£HTTP/2¤Ø¤Î°Ü¹Ô¤¬»Ï¤Þ¤Ã¤Æ¤¤¤Þ¤¹¡£¼Â¤ÏSSL Pulse¤ÇHTTP/2¤ÎÂбþ¾õ¶·¤â4¥ö·îÁ°¤¢¤¿¤ê¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤í¤½¤í²Ä»ë²½¤·¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a5kx

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a6dh
    DH¸°¸ò´¹¤Î¥µ¥Ý¡¼¥ÈΨ¤Ï¡¢¤Û¤Ü²£¤Ð¤¤¤Ç¤¢¤ë¤Î¤ËÂФ·¤Æ¡¢

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a7ecdh
    ECDH(E)¤Ø¤ÎÂбþ¤Ï¿Ê¤ó¤Ç¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ǯËö¿Ê¹Ô¤Ç¡¢¤½¤ó¤Ê¤ËÆݤߤ˹ԤäƤ¤¤ëµ¤¤â¤·¤Þ¤»¤ó¤¬¡¢¤Ê¤ó¤«»Å»ö¤¬»³ÀѤߤǤ¹orz ¥³¥á¥ó¥È¾¯¤Ê¤á¤Ç¤¹¤ß¤Þ¤»¤ó¡£º£·î¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ10·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 8·î¤Ë°ú¤­Â³¤­2015ǯ10·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤·¤Æ¤¯¤ì¤Ê¤¯¤Æ¡¢³Î¤«10·î19Æüº¢¤è¤¦¤ä¤¯¥¢¥Ã¥×¥Ç¡¼¥È¤µ¤ì¤¿¤è¤¦¤Ç¤¹¡£¿·¤·¤¤¹àÌÜÁý¤¨¤Æ¤¤¤ë¤ï¤±¤Ç¤â¤Ê¤¤¤Î¤Ë¡¢¤Ê¤ó¤Ç¤Ç¤·¤ç¤¦¤Í¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201510vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë·Ñ³¤·¤Æ²¼¤¬¤Ã¤Æ¤ª¤ê¡¢º£·î¤Ç¤Ï53%¤Î¥µ¥¤¥È¤·¤«»È¤¨¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£ ¤Þ¤¿¡¢ECDHE¤äDHE¤Î¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤¹¤ëPFS¤ËÂбþ¤·¤¿¥µ¥¤¥È¤Ï71.5%¤Ë¤Þ¤Ç¾å¤¬¤Ã¤Æ¤ª¤ê¡¢¤«¤Ê¤ê¤Î¥µ¡¼¥Ð¡¼¤Ç»È¤¨¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Þ¤·¤¿¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201510proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤¬»È¤¨¤ë¥µ¥¤¥È¤¬32.5%¤Ë¤Þ¤Ç²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201510crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬24.1%¡¢SHA256withRSA¤¬74.9%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£¤¢¤È»Ä¤ê1/4¤Ë¤Ê¤ê¤Þ¤·¤¿¤Í¡Á¡Á¡Á¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201510adv
    HSTS¤â¡¢OCSP Stapling¤â¡¢EV¤â½ù¡¹¤Ë¾å¤¬¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢Á´¤¯Â礷¤¿¤³¤È¤Ê¤¤¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¡¢¡¢

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510dh
    DH¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥µ¥¤¥È¤¬48.2%¤â¤¢¤ê¡¢°Å¹æ¶¯ÅÙ¤¬½½Ê¬¤Ç¤Ê¤¤DH1024bit¤â¸º¤Ã¤Æ¤Ï¤¤¤ë¤â¤Î¤Î¡¢28.9%¤â¤¢¤ê¡¢¤¤¤í¤ó¤Ê°Õ¸«¤Ï¤¢¤ë¤Ç¤·¤ç¤¦¤¬¡¢DH(E)¤Ï»È¤ï¤º¤ËECDH(E)¤ò»È¤¦¤Î¤¬Îɤ¤¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬34.2%¤Ë¤Þ¤Ç¸º¤ê¡¢ECC 256bit¤ò»È¤¨¤ë¥µ¥¤¥È¤¬61.9%¤Ë¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£¤«¤Ê¤êÉáµÚ¤·¤Æ¤­¤¿¤È¤¤¤¦´¶¤¬¤¢¤ê¡¢¡Ö²¿¤â¹Í¤¨¤º¤Ë¤È¤ê¤¢¤¨¤ºECDHE»È¤¨¤ë¤è¤¦¤Ë¤·¤È¤±¡ª¡×¤È»×¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ¹Ö±é»ñÎÁ2Ëܺî¤é¤Ê¤¤¤È¥Þ¥¸¤Ç¤ä¤Ð¤¹¡£º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ8·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 6·î¤Ë°ú¤­Â³¤­º£·î¤â8·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201508-vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤ë¤Ê¤É¡¢¤ª¤ª¤à¤Í½çÄ´¤Ê´¶¤¸¤¬¤·¤Þ¤¹¤Í¡£¤Ä¤Þ¤é¤ó¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201508-ssl
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬35.0%¤Þ¤Ç½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201508-crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬31.9%¡¢SHA256withRSA¤¬67.2%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201508-new
    ¤¦¡Á¤à¡¢¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-dh
    °Å¹æ¶¯Å٤ν½Ê¬¤Ç¤Ê¤¤DH1024bit¡¢512bit¤ÎÍøÍѤϽçÄ´¤Ë¸º¤ê¡¢2048bit¤ÏÁý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤¦¤Ï¤¤¤Ã¤Æ¤âÂ礷¤¿Î¨¤Ç¤Ê¤¯¡¢¤ä¤Ï¤êDH/DHE¤Ï»È¤ï¤Ê¤¤¤Î¤¬Îɤ¤¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬½çÄ´¤Ë¸º¤ê¡¢»È¤¨¤ë¥µ¥¤¥È¤¬Áý¤¨¤Æ¤ª¤ê¡¢ECC 256bit¤ÎECDH/ECDHE¤¬»È¤¨¤ë¥µ¥¤¥È¤¬58.5%¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    º£½µ¤Ï¡¢¥»¥­¥å¥ê¥Æ¥£¡¦¥­¥ã¥ó¥×Á´¹ñÂç²ñ¤ËÍè¤Æ¤¤¤ë¤Î¤Ç¡¢¤¢¤Ã¤µ¤êÉ÷Ì£¤Ç¡£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ6·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 5·î¤Ë°ú¤­Â³¤­6·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ËÜÅö¤Ï³Ö·î¤Ë¤·¤è¤¦¤È»×¤Ã¤Æ¤¿¤ó¤Ç¤¹¤¬¡¢Logjam¤Î±Æ¶Á¤¬¸«¤¿¤«¤Ã¤¿¤Î¤Çº£·î¤Ï¤ä¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£ (¥¦¥½¡¢º£·î¤Ï¤ä¤é¤Ê¤¯¤ÆÎɤ¤·î¤À¤Ã¤¿¤Î¤Ë˺¤ì¤Æ¤Æ¥°¥é¥Õ¤òºî¤Ã¤Æ¤·¤Þ¤Ã¤¿¤À¤±¤Ç¤¹orz )

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201506vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201506proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤ª¤ê¡¢¥µ¥Ý¡¼¥È¤¹¤ë¥µ¥¤¥È¤Ï37.6%¤Þ¤Ç¤Ë¸º¤ê¤Þ¤·¤¿¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201506crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢SHA1¤ÈSHA2¾ÚÌÀ½ñ¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ß¡¢SHA2¤¬60%¡¢SHA1¤¬40%¤Þ¤Ç¤­¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201506adv
    OCSP staplingÂбþΨ¤Ï¿­¤Ó¤«¤«¤Ã¤¿¤Î¤Ë¤Þ¤¿Ìá¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506kx
    ¸°¸ò´¹¤Î¾ðÊó¤¬3·î¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¤è¤¦¤ä¤¯·¹¸þ¤¬¤Ä¤«¤á¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Æ¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506dh
    ¼å¤¤Í¢½Ð¥°¥ì¡¼¥É¤ÎDH(E)¸°¤Î¥À¥¦¥ó¥°¥ì¡¼¥É¤Ë¤è¤ëLogjamÀȼåÀ­¤¬5·î¤Ë¸øɽ¤µ¤ì¤¿¤³¤È¤Ç¡¢Á´ÂÎŪ¤ËDH¸°¸ò´¹¤Î¸°Ä¹¤¬Áý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤È¤Ï¸À¤Ã¤Æ¤â2¡¢3%¤ÎÊѲ½¤·¤«¤Ê¤¯¡¢ ¤ä¤Ï¤êDH¸°¸ò´¹¤Î¸°Ä¹¤òÁý¤ä¤¹¤è¤¦ÀßÄꤹ¤ë¤è¤ê¤â¡¢DH¸°¸ò´¹¤Ï»È¤ï¤º¡¢ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¦¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    LogjamÀȼåÀ­¤Îȯ¸«¼Ô¤Î°ì¿Í¤Ç¤¢¤ëMatthew GreenÀèÀ¸¤Î¥Ö¥í¥°¤Ë¤è¤ë¤È¡¢¤³¤Î¹¶·â¤òÀ®¸ù¤µ¤»¤ë¤Ë¤ÏÃæ´Ö¼Ô¤¬¥Ï¥ó¥É¥·¥§¥¤¥¯Ãæ¤Î½½Ê¬Ã»¤¤»þ´Ö¤ÇDH¸°¤Î²òÆɤò¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤½¤¦¤Ç¤¹¤¬¡¢¤¢¤ë¸°¥Ñ¥é¥á¡¼¥¿¡¼¤Ë¤Ä¤¤¤Æ»öÁ°·×»»¤ò¤·¤Æ¤ª¤±¤Ð¤³¤ì¤Ï²Äǽ¤Ç¤¢¤ê¡¢512bit¤Ê¤é°ìÈÌŪ¤Ê´Ä¶­¤Ç¤â¿ô½½ÉäDzò¤¯¤³¤È¤Ï²Äǽ¤Ç¤¢¤ê¡¢1024bit¤Î¾ì¹ç¡¢°ìÈÌŪ¤Ê´Ä¶­¤Ç¤Ï̵Íý¤«¤â¤·¤ì¤Ê¤¤¤¬NSA¤Î¤è¤¦¤ÊĵÊ󵡴ؤǤ¢¤ì¤Ð¡¢¤½¤Îͽ»»¤ÈÈæ³Ó¤·¤ÆÁ´¤¯ÉÔ²Äǽ¤È¤¤¤¦ÃͤǤâ¤Ê¤¤¤È¤¤¤¦¤³¤È¤Ç¤¹¡£Éݤ¤¤Ç¤¹¤Í¡Á¡Á¡Á¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506ecdh
    ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¨¤ë¥µ¥¤¥È¤È¡¢»È¤¨¤Ê¤¤¥µ¥¤¥È¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢ECC 256bit¤ÎÍøÍѤ¬½çÄ´¤Ë¿Ê¤ó¤Ç¤¤¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    Íè½µ·îÍˤÏJNSA¤ÎÊÙ¶¯²ñ¤Ê¤Î¤Ç¡¢Á᤯»ñÎÁºî¤é¤ó¤È¤¤¤«¤ó¤Ê¤¡¡£¤·¤«¤·¡¢¤ª¤®¤ã¡Á¤µ¤ó¤Ï¡¢¤â¤Î¤¹¤´¤¤½¸µÒÎϤÀ¤Ê¤¡¡£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ5·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 3·î¤Ë°ú¤­Â³¤­5·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ³Ö·î¤Ç¸«¤Æ¤¤¤±¤¿¤é¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡Ê¡°¡°¡¨

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201505vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201505proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤ª¤ê¡¢¥µ¥Ý¡¼¥È¤¹¤ë¥µ¥¤¥È¤Ï40%¤Þ¤Ç¤Ë¸º¤ê¤Þ¤·¤¿¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201505cert
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢SHA1¤ÈSHA2¾ÚÌÀ½ñ¤ÎÈæΨ¤¬µÕž¤·¤Þ¤·¤¿¡£º£·î¤Î¥°¥é¥Õ¤ÇºÇ¤âÆÃħŪ¤Ê»ö¤«¤È»×¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201505adv
    OCSP staplingÂбþΨ¤Ï½çÄ´¤Ë¿­¤Ó¤Æ¤¤¤Þ¤¹¤¬¡£Â礷¤¿¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505kx
    ¸°¸ò´¹¤Î¾ðÊó¤¬3·î¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¤è¤¦¤ä¤¯·¹¸þ¤¬¤Ä¤«¤á¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Æ¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505dh
    DH¸°¸ò´¹¤ËÂбþ¤¹¤ë¥µ¥¤¥È¤Ï¤ï¤º¤«¤Ê¤¬¤éÁý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢2048bit¤À¤±¤Ç¤Ê¤¯¡¢°ÂÁ´¤Ç¤Ê¤¤¤È¤µ¤ì¤ë1024bit¤âÁý¤¨¤Æ¤¤¤ë¤³¤È¡¢¤Þ¤¿¤½¤ì°Ê¾å¤Ë°ÂÁ´¤Ç¤Ê¤¤512bit¤¬»È¤ï¤ì¤Æ¤¤¤ë¤³¤È¤ÏÈó¾ï¤ËÌäÂê¤Ç¤¹¡£¤³¤Î¤è¤¦¤Ê·¹¸þ¤«¤é¤â¡¢DH¸°¸ò´¹¤Î¸°Ä¹¤òÁý¤ä¤¹¤è¤¦ÀßÄꤹ¤ë¤è¤ê¤â¡¢DH¸°¸ò´¹¤Ï»È¤ï¤º¡¢ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¦¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ÀèÆü¥Ö¥í¥°¤Ë½ñ¤¤¤¿TLS¤Î¼ÂÁõ¤ÈƳÆþ¾å¤Î¿ä¾©¤ò¤Þ¤È¤á¤¿RFC 7525¤Î4.4Àá¤Ë¤âDH¸°¸ò´¹¤Î²ÝÂ꤬À°Íý¤µ¤ì¤Æ¤ª¤ê¡¢RFC 7525¤Ç¤Ï¡Ö»È¤¦¤Ê¡×¤È¤Ï¸À¤Ã¤Æ¤¤¤Þ¤»¤ó¤¬¡¢¤³¤ì¤òÆɤà¤ÈDH·Ï¤Î¸°¸ò´¹¤Ï»È¤¦¤Ù¤­¤Ç¤Ï¤Ê¤¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201505ecdh
    ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¨¤ë¥µ¥¤¥È¤È¡¢»È¤¨¤Ê¤¤¥µ¥¤¥È¤ÎÈæΨ¤¬µÕž¤·¡¢ECDH·Ï¤Î¸°¸ò´¹¤Ø¤ÎÂбþ¤¬È¾¿ô¤òĶ¤¨¤Æ¤­¤Þ¤·¤¿¡£ECDH·Ï¸°¸ò´¹¤ò»È¤¨¤Ê¤¤ÈæΨ¤Î¸º¤êÊý¤¬DH¤ËÈæ¤Ù¤Æ¸²Ãø¤Ç¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ¤Ê¤ó¤«º£½µËö¤Ï¥Ö¥í¥°¥é¥Ã¥·¥å¤Ã¤¹¤Í¡£¥á¥Ã¥»¡¼¥¸Æþ¤êSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î·ï¤¬½ñ¤±¤Ê¤«¤Ã¤¿¤Ê¤¡¡£º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ3·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 1·î¤Ë°ú¤­Â³¤­3·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£

    SSL Pulse¤Î¥Ç¡¼¥¿¤ÎÄɲÃ

    2015ǯ3·î¤è¤ê¡¢°Ê²¼¤Î¥Ç¡¼¥¿¤òÄɲäǴѬ¤¹¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£

    • POODLE¹¶·â¤Î´ËϺö¤È¤·¤ÆGoogle¤«¤é¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥é¥Õ¥È¤¬½Ð¤µ¤ì¡¢ Google Chrome¡¢OpenSSL¤ÎºÇ¿·ÈǤʤɤǤÏÂбþ¤·¤Æ¤¤¤ë TLS_FALLBACK_SCSV¤Î¥µ¥Ý¡¼¥È¾õ¶·
    • ÄÌ¿®¾ã³²Åù¤Ë¤è¤ëOCSP¥ì¥¹¥Ý¥ó¥À¤Ø¤Î¥¢¥¯¥»¥¹ÉÔǽ¤Ë¤è¤ê¡¢¼º¸ú¤·¤¿¾ÚÌÀ½ñ¤Î¥µ¥¤¥È¤Ë¤Ä¤Ê¤¬¤Ã¤Æ¤·¤Þ¤Ã¤¿¤ê¡¢Ç§¾Ú¶É¤¬ÍøÍѼԤΥµ¥¤¥ÈˬÌäµ­Ï¿¤ò¼èÆÀ¤·¤Ê¤¤¤è¤¦¤ËƳÆþ¤µ¤ì¤¿OCSP stapling¤Î¥µ¥Ý¡¼¥È¾õ¶·
    • ¸°¸ò´¹¤ÎºÝ¤ÎºÇÄ㸰Ĺ(DC¡¢ECDH¤Ëʬ¤±¤¿Ãͤ⤢¤ë¤¬±ß¥°¥é¥Õɽ¼¨¤Ï¤µ¤ì¤Æ¤Ê¤¤)

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    01vuln1
    º£·î¤«¤éPOODLE¹¶·â¤ò´ËϤ¹¤ë¡ÖTLS_FALLBACK_SCSV¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Ê¤¤Î¨¡×¤Î¾ðÊó¤¬Äɲ䵤ì¤Æ¤¤¤Þ¤¹¡£45%¶á¤¤¥µ¥¤¥È¤¬Âбþ¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    02proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢²¼¤¬¤êÊý¤¬Æß²½¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    03key
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢½çÄ´¤ËSHA1¤«¤éSHA2¾ÚÌÀ½ñ¤Ø¤Î°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤Æ¤¤¤Æ¡¢SHA2¤¬42%¡¢SHA1¤¬57%¤È¤â¤¦¾¯¤·¤Ç¥¯¥í¥¹¤·¤½¤¦¤Ê½ê¤Þ¤ÇÍè¤Æ¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    04func
    º£·î¤«¤éOCSP stapling¤Î¥µ¥Ý¡¼¥È¾õ¶·¤¬¥°¥é¥Õ¤Ëµ­ºÜ¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£20%¤Î¥µ¥¤¥È¤¬OCSP stapling¤ËÂбþ¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¡£°Õ³°¤È¿¤¤¤Ê¤È¤¤¤¦°õ¾Ý¤Ç¤¹¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    05keyex
    SSL Pulse¤Ç¸°¸ò´¹¤ÎºÇÄ㸰Ť¬º£·î¤«¤éɽ¼¨¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£ ¾ÚÌÀ½ñ¤ÏRSA 2048bit°Ê¾å¤Î¾ÚÌÀ½ñ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢ ¥°¥é¥ÕÃæ¤Î2048bit¤ÏRSA¤Ç¸°¸ò´¹¤·¤Æ¤¤¤ë¥±¡¼¥¹¡¢ 1024bit¤ª¤è¤Ó512bit¤ÏDH(Diffie-Hellman)¤«DHE¤Ç¸°¸ò´¹¤·¤Æ¤¤¤ë¥±¡¼¥¹¡¢ ¤Ç¤¢¤ë¤È¸À¤¨¤Þ¤¹¡£NIST¤Î°Å¹æ¥¢¥ë¥´¥ê¥º¥à°Ü¹Ô¤Î¥¬¥¤¥É¥é¥¤¥ó¤Ë¤è¤ì¤Ð¡¢ ¸°Ä¹1024bit°Ê²¼¤ÎRSA¡¢DH¡¢DSA¤Ê¤É¤Î¶¦Ä̸°°Å¹æ¤Ï»È¤Ã¤Æ¤Ï¤Ê¤é¤Ê¤¤¤³¤È¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢ DH¡¢DHE¤ò»È¤Ã¤¿°Å¹æ¥¹¥¤¡¼¥È¤¬»È¤¨¤ë¥µ¥¤¥È¤Ï¤«¤Ê¤ê¤¢¤ê¡¢ ¤¢¤¨¤ÆDH¡¢DHE¤ò»È¤¦¤Î¤Ï°ÂÁ´¤Ç¤Ï¤Ê¤¤¤³¤È¤Ï¤è¤¯¤ï¤«¤ê¤Þ¤¹¡£ ¥µ¡¼¥Ð¡¼Â¦¤Ç»ß¤á¤¿¤ê½¼Ê¬¤Ê¸°Ä¹¤È¤Ê¤ëÀßÄê¤ò¤·¤Æ¤¤¤Ê¤¤¤Î¤Ç¡¢ ¥¯¥é¥¤¥¢¥ó¥È¦¤ÇÇÛθ¤¹¤ë¤·¤«¤Ê¤¤¤Î¤Ç¤Ï¡©¤È¤¤¤¦µ¤¤¬¤·¤Æ¤¤¤Þ¤¹¡£ Æäˡ¢PFS(Perfect Forward Secrecy)¤Î¤¿¤á¤Ë¡¢DH¡¢DHE¤ò»È¤ª¤¦¤È¤¹¤ë ·¹¸þ¤¬¤¢¤ê¤Þ¤¹¤¬¡¢¤½¤Î¤è¤¦¤Ê¾ì¹ç¤Ë¤ÏECDH¡¢ECDHE¤òÁªÂò¤¹¤ë¤Ù¤­¤À¤È»×¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    06dh
    ¤³¤Î¥°¥é¥Õ¤ò¸«¤Æ¤âÌÀ¤é¤«¤Ê»ö¤Ë¡¢DH¡¢DHE¤Ç¤Ï½½Ê¬¤Ê°ÂÁ´À­¤ò»ý¤¿¤Ê¤¤¸°Ä¹1024bit¤«512bit¤¬¤Û¤È¤ó¤É¤Ç¤¢¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£ Éݤ¤¤Ç¤¹¤Í¡Á¡Á¡£¤³¤Î¥°¥é¥Õ¤ÏSSL Pulse¤Î¥µ¥¤¥È¤Ç¤Ï¸«¤é¤ì¤Ê¤¤ÃͤˤʤäƤ¤¤Þ¤¹(¤Ä¤Þ¤ê¡¢¥Ç¡¼¥¿¤À¤±¤¢¤ë)¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    07ecdh
    ECDH¡¢ECDHE¤¬»È¤¨¤ë¾ì¹ç¤Ë¤Ï¤Û¤È¤ó¤É¤¬¸°Ä¹256bit(RSA 3076bitÁêÅö)¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢ °ìÈ̤˰¿´¤·¤ÆÍøÍѤǤ­¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£ go.jp¥É¥á¥¤¥ó¤ÎÄ´ºº¤Ç¤â ¾Ò²ð¤·¤¿¤è¤¦¤Ë571bit¤ÎECC¸°¤¬¾¯¤·»È¤ï¤ì¤Æ¤¤¤ë¤³¤È¤â¶Ã¤­¤Þ¤¹¡£256bit̤Ëþ¤À¤È224bit¡¢163bit¤¬¤´¤¯¤ï¤º¤«¤Ë»È¤ï¤ì¤Æ¤ª¤ê¡¢192bit¤¬Ìµ¤¤¤È¤¤¤¦¤³¤È¤â°Õ³°¤Ç¤·¤¿¡£ ¤³¤Î¥°¥é¥Õ¤â¡¢SSL Pulse¤Î¥µ¥¤¥È¤Ç¤Ï¸«¤é¤ì¤Ê¤¤ÃͤˤʤäƤ¤¤Þ¤¹(¤Ä¤Þ¤ê¡¢¥Ç¡¼¥¿¤À¤±¤¢¤ë)¡£

    ¤ª¤ï¤ê¤Ë

    °Ê¾å¡¢º£·î¤ÎSSL Pulse¤Î¥Ç¡¼¥¿¤«¤é¤¤¤í¤ó¤Ê¿ä°Ü¤ò¸«¤Æ¤ß¤Þ¤·¤¿¡£ º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    ºÇ¿·µ­»ö
    Categories
    Archives
    Twitter
    µ­»öGoogle¸¡º÷

    ËÜ¥Ö¥í¥°Æâ¤òGoogle¸¡º÷
    Yahoo!¥¢¥¯¥»¥¹²òÀÏ
    Travel Advisor
    µ­»ö¸¡º÷
    QR¥³¡¼¥É
    QR¥³¡¼¥É
    • ¥é¥¤¥Ö¥É¥¢¥Ö¥í¥°