¼«ÂÄÍî¤Êµ»½Ñ¼Ô¤ÎÆüµ­

´ðËܤ϶ô¤Ã¤Æ¤ë¤«°û¤ó¤Ç¤ë¤«¤Ç¤¹¤¬¡¢¤è¤¯¼ñÌ£¤Ç¥«¥é¥ª¥±¡¦PKI¡¦½ð̾¡¦Ç§¾Ú¡¦¥×¥í¥°¥é¥ß¥ó¥°¡¦¾ðÊ󥻥­¥å¥ê¥Æ¥£¤ò¤ä¤Ã¤Æ¤¤¤Þ¤¹¡£Î¹¹¥¤­¡£¥Æ¥ì¥Ó¹¥¤­¤Ç·ÝǽÄÌ

X.509¾ÚÌÀ½ñ

ºÇ¶á¤Î¾ÚÌÀ½ñ¤ÎÏÃÂê(3): ¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ·Á¼°¤ÎÅŻҰÑǤ¾õ¤Î¥×¥í¥Õ¥¡¥¤¥ë¤Ë´Ø¤¹¤ë¹Í»¡

¤ªÏͤӡ§¤³¤Îµ­»ö¤Ï£³·î¤Ë½ñ¤­»Ï¤á¡¢£µ·î¤ËÂçÊý¤Ç¤­¤Æ¤¤¤¿¤Î¤Ç¤¹¤¬¡¢¤Ê¤ó¤«¥Ü¥ê¥å¡¼¥àËþÅÀ¤Ê³ä¤Ë¡¢Íî¤È¤·½ê¤¬¤Ê¤¯¤Ê¤Ã¤Æ¤·¤Þ¤¤¡¢¿É¤¯¤Ê¤Ã¤ÆÊüÃÖ¤·¤Æ¤¤¤Þ¤·¤¿¡£¤³¤ì¤¬½ª¤ï¤é¤Ê¤¤¤»¤¤¤Ç¡¢Â¾¤Îµ­»ö¤â²¿¤È¤Ê¤¯½ñ¤¯¤Î¤¬²¯¹å¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤·¤¿¡£¤ä¤Ã¤È£¸·îËö¤Îº£Æü¡¢¾¯¤·½ñ¤­Â­¤·¤ÆÀ¸¼Ñ¤¨µ­»ö¤È¤·¤Æ¶¡Íܤµ¤»¤Æ¤¯¤À¤µ¤¤m(_ _)m¡£¤¿¤À¤³¤³¤Ç¸À¤¤¤¿¤¤¤Î¤Ï
(ÅŻҾÚÌÀ½ñÊý¼°¤Î)ÅŻҰÑǤ¾õ¤Ï¡¢¤ªÌò½ê¤Ø¤Î¿½ÀÁ¤À¤±¤Ç¤Ê¤¯¡¢´ë¶È´Ö¤ÎÅŻҷÀÌó¤Ç¤â¡¢Á°¤è¤ê³ÊÃʤ˻Ȥ¤¤ä¤¹¤¤¾ÚÌÀ½ñ¤Ê¤Î¤Ç¡Ö¤Á¤ã¤ó¤ÈÉáµÚ¤·¤Æ¤¯¤À¤µ¤¤¡ª¡ª¡ª¡×
¤Ã¤Æ¤³¤È¤À¤±¤Ç¤¹¡£

º£Æü¤ÏÀµ³Î¤Ë¤Ï¾ÚÌÀ½ñ¥Ï¥ó¥¿¡¼¥Í¥¿¤È¤Ï¸À¤¨¤Ê¤¤¤ó¤Ç¤¹¤¬¡¢º£¸å¤ª¤â¤·¤í¤½¤¦¤Ê¡¢¡ÖÅŻҰÑǤ¾õ¡×¤È¤¤¤¦¾ÚÌÀ½ñ¤¬½Ð¤Æ¤­¤½¤¦¤Ã¤Æ¤³¤È¤Ç¾Ò²ð¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£¤Á¤ç¤Ã¤ÈŤ¤¤Ç¤¹¡£¤´ÍƼϤ¯¤À¤µ¤¤¡£

¤â¤¯¤¸
1. ÅŻҰÑǤ¾õ¤È¤Ï
2. ¾ÚÌÀ½ñ¤Î¼±ÊÌ̾¤Î¹½Â¤(¤ª¤µ¤é¤¤)
3. ¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ·Á¼°¤ÎÅŻҰÑǤ¾õ¤Î¥µ¥ó¥×¥ëȯ¹Ô
4. ÈÆÍѤξÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼¤Ç¼çÂμÔÊÌ̾¤Îɽ¼¨¤ÏÌäÂê¤Ê¤¤¤«
¡¡4.1. Windows¤Îɽ¼¨
¡¡4.2. macOS¤Îɽ¼¨
¡¡4.3. Firefox¤Îɽ¼¨
¡¡4.4. Adobe Acrobat Reader DC¤Îɽ¼¨
¡¡4.5. Java JCE SUN¥×¥í¥Ð¥¤¥À¤Îɽ¼¨
¡¡4.6. Java JCE BouncyCastle BC¥×¥í¥Ð¥¤¥À¤Îɽ¼¨
¡¡4.7. OpenSSL¤Îx509 -text¥³¥Þ¥ó¥É¤Ë¤è¤ëɽ¼¨
¡¡4.8. ɽ¼¨·ë²Ì¥µ¥Þ¥ê
5. ÅŻҰÑǤ¾õ¤Î¼±ÊÌ̾¤Ë´Ø¤¹¤ë¹Í»¡
¡¡5.1. °À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ
¡¡5.2. organizationIdentifier°À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ
¡¡5.3. description°À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ
¡¡5.4. OU¤ò»È¤¦»ö¤ÎÀ§Èó¤Ë¤Ä¤¤¤Æ
¡¡5.5. ¤Ç¤Ï¤É¤Î°À­¥¿¥¤¥×¤ò»È¤¦¤Î¤¬Îɤ«¤Ã¤¿¤Î¤«
¡¡5.6. »÷¤¿ÆüËܸìʸ»ú¤ÎÌäÂê
¡¡5.7. ¤½¤Î¾¡¢µ­ºÜÎã¤Ë¤ª¤±¤ëºÙ¤«¤¤²ÝÂê

1. ÅŻҰÑǤ¾õ¤È¤Ï

´û¤Ë¤´Í÷¤Ë¤Ê¤Ã¤Æ¤¤¤ëÊý¤â¤¤¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢ 2018ǯ1·î¤«¤é¡ÖÅŻҰÑǤ¾õ¤ÎÉáµÚ¤ÎÂ¥¿Ê¤Ë´Ø¤¹¤ëˡΧ¡ÊÅŻҰÑǤ¾õË¡¡Ë¡×¤¬»Ü¹Ô¤µ¤ì¤Þ¤·¤¿¡£

¤¢¤ëÄøÅ٤ε¬Ìϰʾå¤Î²ñ¼Ò¤Ë¤Ê¤Ã¤Æ¤¯¤ë¤È¡¢·ÀÌó¤ä¹ÔÀ¯¼ê³¤­¤Ê¤É¤Ç¡¢¼ÒŤµ¤ó¼«¤é¤½¤Î¤è¤¦¤Ê»ö̳½èÍý¤ò¤¹¤ë¤³¤È¤Ï¾¯¤Ê¤¤¤È»×¤¤¤Þ¤¹¤¬¡¢IC¥«¡¼¥É»È¤Ã¤ÆÅŻҽð̾¤¹¤ë¤È¤«¸À¤¦¤ÈËܿͤ·¤«°Å¾ÚÈÖ¹æÃΤé¤Ê¤¤¤Ï¤º¤Ê¤Î¤Çº¤¤Ã¤Á¤ã¤¦¤ó¤Ç¤¹¤è¤Í¡£¥Ñ¥½¥³¥ó¶ì¼ê¤Ê¼ÒŤµ¤ó¤À¤È¡¢IC¥«¡¼¥É¤È°Å¾ÚÈÖ¹æËèÅϤ·¤Á¤ã¤Ã¤Æ½èÍý¤ò¤ª´ê¤¤¤·¤¿¤ê¤·¤Æ¤Í¡£
ÅŻҰÑǤ¾õfig1
¤½¤³¤Ç¡¢¼ÒŤµ¤ó¤¬·è¤á¤¿ÂåÍý¤Î¿Í¤ËÂФ·¤Æ¡¢ÅŻҰÑǤ¾õ¤Ê¤ë¥Ç¡¼¥¿¤òÍ¿¤¨¤ë¤³¤È¤Ë¤è¤Ã¤Æ¡¢¤½¤Î¤è¤¦¤Ê·ÀÌó¤ä¿½ÀÁ¼ê³¤­¤ò¥ª¥Õ¥£¥·¥ã¥ë¤Ë¼ÒŤÎÂåÍý¤Ç¤Ç¤­¤ë¤è¤¦¤Ë¤·¤Æ¡¢ÅŻҲ½¤òÂ¥¿Ê¤·¤è¤¦¤È¤¤¤¦Ë¡Î§¤Ê¤Î¤À¤½¤¦¤Ç¤¹¡£
ÅŻҰÑǤ¾õfig2
IC¥«¡¼¥É¤È°Å¾ÚÈÖ¹æ¤Ï¡¢Ëܿͤ·¤«»È¤¨¤Ê¤¤¤è¤¦¤Ë´ÉÍý¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤È¤¤¤¦¤Î¤¬ÍøÍѤθ¶Â§¤Ê¤ó¤Ç¤¹¤¬¡¢ÅŻҰÑǤ¾õ¤Ë¤è¤Ã¤Æ¡¢¤Á¤ã¤ó¤È¿½ÀÁ¤ä·ÀÌ󤹤ëËÜ¿Í(=ÂåÍý¿Í)¤¬´ÉÍý¤¹¤ëIC¥«¡¼¥É¤¬¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤ë¤È¤¤¤¦¤Î¤¬¥ß¥½¤«¤È»×¤¤¤Þ¤¹¡£

¤½¤¦¤¤¤¨¤ÐÀèÆü¡¢5·î23Æü¤ËÆüËܥͥåȥ¥¯¥»¥­¥å¥ê¥Æ¥£¶¨²ñ(JNSA)¤ÎÅŻҽð̾WG½Õº×¤ê¡ÖÅŻҽð̾¤ÎÀ¤³¦(SIGN WORLD)¡×¤¬¤¢¤ê¡¢ÊÛ¸î»Î¤ÎµÜÆ⹨ÀèÀ¸¤¬¡Ö¸Ä¿Í¤ÎÅŻҾÚÌÀ½ñ¤ÈË¡¿ÍÌò¿¦¼Ô¤ÎÅŻҾÚÌÀ½ñ ¡¡¡Á°Õ³°¤È»È¤¨¤ëÅŻҰÑǤ¾õË¡¡Á¡×¤È¤¤¤¦¥¿¥¤¥È¥ë¤Ç¤ªÏä·¤·¤Æ¤¯¤À¤µ¤¤¤Þ¤·¤¿¡£ ÅŻҰÑǤ¾õ¤Ë¤Ä¤¤¤Æ¤Ï¡¢°ìÈÖÎɤ¤²òÀ⥹¥é¥¤¥É¤À¤È»×¤¦¤Î¤Ç¤ß¤Ê¤µ¤ó¸«¤ÆÍߤ·¤¤¤ó¤Ç¤¹¤¬¡¢ °ìÈÖ¥¹¥È¥ó¤Èç¥Íî¤Á¤·¤¿¤Î¤¬¤³¤ÎÅŻҾÚÌÀ½ñ¤ÎÈæ³Ó¤Ë´Ø¤¹¤ë¥¹¥é¥¤¥É¤Ç¡¢¥Þ¥¤¥Ê¥ó¥Ð¡¼¥«¡¼¥É¤â¡¢Ç§Äêǧ¾Ú¶È̳¤Î¾ÚÌÀ½ñ¤â¡¢ÆÃÄêǧ¾Ú¶È̳¤Î¾ÚÌÀ½ñ¤â¡¢¾¦¶ÈÅе­¤Î¾ÚÌÀ½ñ¤·¤«¤ê¡¢ÆüËܤÎÅŻҽð̾ˡ¤Ç»È¤¨¤ë¾ÚÌÀ½ñ¤Ï

  • ´ðËÜŪ¤Ë¤Ï²ñ¼Ò¤ÎÂåɽ¼Ô(²ñŤµ¤ó¡¢¼ÒŤµ¤ó)¸þ¤±¤Î¾ÚÌÀ½ñ¤«¡¢
  • ¸Ä¿Í¤Î»á̾¤È½»½ê¾ðÊó¤¬Æþ¤Ã¤Æ¤¤¤ë¾ÚÌÀ½ñ
¤·¤«¡¢»È¤¨¤Ê¤¤¤ó¤Ç¤¹¤è¤Í¡£¥Ó¥¸¥Í¥¹¤À¤È¡¢ÉôŤµ¤ó¤Î¼«Âð½»½ê¤Ê¤ó¤«¤É¤¦¤Ç¤â¤è¤¯¤Æ¡¢Ì¾Á°¤â¾ì¹ç¤Ë¤è¤Ã¤Æ¤ÏɬÍפʤ¯¡¢¤à¤·¤í¸ª½ñ¤­¤Ê¤ó¤«¤ò½ñ¤¤¤Æ¤¤¤¢¤ëÊý¤¬½ÅÍפǤ¹¤è¤Í¡£¤³¤ê¤ã¡¢¤³¤ì¤Þ¤Ç¤Î¾ÚÌÀ½ñ¤Ï¥Ó¥¸¥Í¥¹¤Ç»È¤¤¤Ë¤¯¤¤¤ï¤±¤À¤Ê¤¡¡¢¡¢¡¢¤È¡£¤³¤ì¤È¤Ï°ã¤Ã¤Æ¡¢¾ÊÄ£¤ÎÊý¤Î´±¿¦¾ÚÌÀ½ñ¤Ï̾Á°¤â¡¢½»½ê¤âÆþ¤Ã¤Æ¤¤¤Ê¤¤¤¯¤Æ¡¢¾ÊÄ£¤Î̾Á°¤ÈÌò¿¦¤Ç¡¢»È¤¤¤ä¤¹¤¯¤Ê¤Ã¤Æ¤ë¤Î¤Ë¤Í¡£

ÅŻҰÑǤ¾õ¤Îȯ¹Ô¤Ï¡¢Ã¯¤Ç¤âȯ¹Ô¤Ç¤­¤ë¤ï¤±¤Ç¤Ê¤¯¡¢Ìò½ê¤¬¤¹¤ë¤ï¤±¤Ç¤â¤Ê¤¯¡¢ÅŻҰÑǤ¾õ¼è°·¶È̳¤Î»ñ³Ê¤ò»ý¤ÄÂè»°¼Ô¤Î¥µ¡¼¥Ó¥¹¤¬¤½¤ì¤ò¹Ô¤¦¤³¤È¤Ë¤Ê¤ë¤½¤¦¤Ç¡¢¿½ÀÁ³Îǧ¥×¥í¥»¥¹¤¬Æ±¤¸¤Ê¤Î¤Ç¡¢¹ñÆâ¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤¬Ã´¤¦¤è¤¦¤Ë¤Ê¤ê¤½¤¦¤È¤Î»ö¡£ÅŻҰÑǤ¾õ¤ÏÉáÄ̤ÎPDF(½ð̾)ʸ½ñ¤Î¤è¤¦¤Ê·Á¼°¤â¤¢¤ë¤½¤¦¤Ç¤¹¤¬¡¢X.509¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ¤Ë¤è¤ë·Á¼°¤â¤¢¤ë¤½¤¦¤Ç¤¹¡£(¥³¥³¡¢¿©¤¤¤Ä¤­½ê¤Ç¤¹¤è¤Ã¡ª¡ª¡ª)

¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ·Á¼°¤ÎÅŻҰÑǤ¾õ¤Ë¤Ä¤¤¤Æ¡¢¤É¤Î¤è¤¦¤Ê¹àÌܤòµ­ºÜ¤¹¤ë¤«¡¢¤¤¤ï¤æ¤ë¾ÚÌÀ½ñ¥×¥í¥Õ¥¡¥¤¥ë¤Ë¤Ä¤¤¤Æ¤Ï¡¢Áí̳¾Ê¤¬È¯¹Ô¤·¤Æ¤¤¤ë»Ø¿Ë¤Î²òÀâ½ñ¤Î25¥Ú¡¼¥¸¤Ëµ­ºÜÎ㤬¤¢¤ê¤Þ¤¹¡£¤³¤Îµ­ºÜÎã¤òºî¤ë»þ¤Ë¡¢Áí̳¾Ê¡¢ÆüËÜÅÅ»Òǧ¾Ú¶É²ñµÄ¡¢ÆüËܥͥåȥ¥¯¥»¥­¥å¥ê¥Æ¥£¶¨²ñ(JNSA) ÅŻҽð̾WG¤¬µÄÏÀ¤¹¤ë²ñ¹ç¤¬¤¢¤ê¤Þ¤·¤Æ¡¢»ä¤â¤¿¤Þ¤¿¤ÞÀ¼¤ò¤«¤±¤Æ失¤Þ¤·¤¿¡£

¤³¤Îµ­ºÜÎã¤Ë¤Ï¡¢´ö¤Ä¤«²ÝÂê¤â¤¢¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¤¬¡¢¤½¤³¤Ï¥¹¥ë¡¼¤·¤Æ¡¢ÅŻҾÚÌÀ½ñÊý¼°¤ÎÅŻҰÑǤ¾õ¤Î¥Ý¥¤¥ó¥È¤Ï°Ê²¼¤«¤È»×¤¤¤Þ¤¹¡£

  • ¼ÒŤµ¤ó¤Ê¤É°ÑǤ¤¹¤ë¦¤Î¿Í(°ÑǤ¼Ô)¤È°ÑǤ¤µ¤ì¤ë¿Í(¼õǤ¼Ô)¤Î¾ðÊó¤ÏsubjectAltName(SAN)¤Ë¡¢ directoryName¤È¤·¤Æµ­ºÜ¤µ¤ì¤ë¡£
  • (SAN)¤ÎdirectoryName¤Î°À­¥¿¥¤¥×¤Ï¡¢ O¡¢OU¡¢CN¡¢ST(stateOrProvince)¡¢L(Locality)¡¢T(title)¡¢description¡¢organizationIdentifier¤¬»È¤ï¤ì¤ë¡£
  • µ­ºÜÆâÍƤξܺ٤ˤĤ¤¤Æ¤Ï¡¢Äê¤á¤é¤ì¤¿¥×¥ê¥Õ¥£¥¯¥¹¤â´Þ¤á¤Æ¡¢¥Ç¥£¥ì¥¯¥È¥ê°À­ÃͤËÀßÄꤷ¤Æ¤¤¤ë¡£Î㤨¤Ð¡¢¼ÒŤµ¤ó¤Ê¤ÉÁÈ¿¥¤ÎÂåɽ¼Ô¤Ë¤Ï¡ÖÁÈ¿¥Âåɽ¼Ô̾¡§¡×¤È¤¤¤¦¥×¥ê¥Õ¥£¥¯¥¹¤ò»È¤Ã¤Æ ¡ÖÁÈ¿¥Âåɽ¼Ô̾¡§»³ÅÄÂÀϺ¡×¤Î¤è¤¦¤ËÀßÄꤷ¤Æ¤¤¤ë¡£

2. ¾ÚÌÀ½ñ¤Î¼±ÊÌ̾¤Î¹½Â¤(¤ª¤µ¤é¤¤)

¾ÚÌÀ½ñ¤Î¼±ÊÌ̾¤Ï

°À­1¥¿¥¤¥×1=°À­ÃÍ1, °À­1¥¿¥¤¥×2=°À­ÃÍ2, °À­1¥¿¥¤¥×3=°À­ÃÍ3 ...
¤Î¹½Â¤¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£Â°À­¥¿¥¤¥×¤Ï¥ª¥Ö¥¸¥§¥¯¥È¼±ÊÌ»Ò(OID)¤Ç¡¢2.5.4.10¤ß¤¿¤¤¤Ê¤ä¤Ä¡¢Â°À­ÃͤÏASN.1¤Îʸ»úÎ󥿥¤¥×(DirectoryStringType)¤Ë¤Ê¤ê¤Þ¤¹¡£

3. ¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ·Á¼°¤ÎÅŻҰÑǤ¾õ¤Î¥µ¥ó¥×¥ëȯ¹Ô

¼ñÌ£¤Çjsrsasign ¤È¤¤¤¦¡¢JavaScript¥Ù¡¼¥¹¤Î°Å¹æ/PKI¥é¥¤¥Ö¥é¥ê¤ò¸ø³«¤·¤Æ¤¤¤Þ¤¹¤¬¡¢ º£²ó¤ÎÄ´ºº¤Ë¹ç¤ï¤»¤Æ¡¢¤³¤ÎÅŻҰÑǤ¾õ¤ËɬÍפÊÁ´Â°À­¥¿¥¤¥×¤Î¥µ¥Ý¡¼¥È¤òÄɲä·¤Þ¤·¤¿¤Î¤Ç¡¢ ¥µ¥ó¥×¥ë¤ÎCA¥Ú¡¼¥¸ ¤ò»È¤¨¤Ð´Êñ¤ËÅŻҰÑǤ¾õ¤â¤É¤­¤Î¾ÚÌÀ½ñ¤òÀ¸À®¤·¡¢¾ÚÌÀ½ñ¤Îɽ¼¨³Îǧ¤Ê¤É¤Ë »È¤¦¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
toolca

ÅŻҰÑǤ¾õ¤Ç¤Ï¼çÂμÔÊÌ̾(subjectAltName)¤ËÆÃħ¤¬¤¢¤ë¤Î¤Ç¡¢ ³Îǧ¤Ç¤Ï¤³¤ì¤Î¤ß¤òÀßÄꤹ¤ì¤Ð¤è¤¯¡¢ ¥¿¥¤¥×¤ò¡ÖDN¡×¤Ë¤·¡¢Ãͤ˰ʲ¼¤ò¥Ú¡¼¥¹¥È¤·¡¢
toolca-san

/organizationIdentifier=JCN1111111111111/O=³ô¼°²ñ¼Ò¥¢¥¤¥Ä¡¼/description=ÁÈ¿¥½êºßÃÏ¡§ÅìµþÅÔ½Âë¶è¿ÀµÜÁ°£³¡Ý£³/description=ÁÈ¿¥Âåɽ¼Ô¸ª½ñ¤­¡§Âåɽ¼èÄùÌò¼ÒĹ/description=ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§1972/04/27/description=ÁÈ¿¥Âåɽ¼Ô̾¡§ÎëÌÚ²Ö»Ò/CN=»³ÅÄÂÀϺ/T=¹ØÇãÉôĹ/description=ÉôÌç½êºßÃÏ¡§ÅìµþÅÔ¿·½É¶èÀ¾¿·½É£µ¡Ý£µ/description=ÂåÍý¸¢ÆâÍÆ¡§ÆüËܹñÆâ¤Î1²¯±ß°Ê²¼¤Î¹ØÇã¹Ô°Ù/description=Âåɽ¸¢À©¸Â¡§1²¯±ß°Ê²¼¤ÎȯÃí¹ØÇã
µ¤¤Ë¤Ê¤ë¤Ê¤é¤Ð¡¢¼çÂμÔ̾(subject)¤ò°Ê²¼¤ËÀßÄꤷ¤Þ¤¹¡£
/CN=Taro Yamada/ST=Tokyo/L=Shinjuku-ku Nishi-Shinjuku 5-5
¡ÖIssue Certificate(¾ÚÌÀ½ñȯ¹Ô)¡×¥Ü¥¿¥ó¤ò²¡¤»¤Ð¡¢¾ÚÌÀ½ñ¥Ç¡¼¥¿¤¬À¸À®¤ì¤Þ¤¹¡£ ¾åµ­¤ÎÆþÎϤǤϡ¢¼çÂμÔÊÌ̾¤Î°À­¥¿¥¤¥×¤òÁªÂò¤Ç¤­¤ë¤â¤Î¤Ï°ìÈÌŪ¤ÊOU¤Ç¤Ï¤Ê¤¯¡¢É½¼¨¥Æ¥¹¥È¤Î¤¿¤á¤ËÄÁ¤·¤¤description¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¡£¤Þ¤¿¡¢²òÀâ½ñ¤Ç¤Ï¼çÂμÔ̾¤ÎÅÔÆ»Éܸ©¤ÇS=Tokyo¤Î¤è¤¦¤ËstateOrProvince¤Ï"S="¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢OpenSSL¤äjsrsasign¤Ç¤Ï"ST="¤ò»È¤¤¤Þ¤¹¡£

¾åµ­¤Î¼çÂμÔÊÌ̾¤ÎÎã¤ò¸«¤ä¤¹¤¤¤è¤¦¤Ë²þ¹Ô¤òÆþ¤ì¤ë¤È°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£

/organizationIdentifier=JCN1111111111111 /O=³ô¼°²ñ¼Ò¥¢¥¤¥Ä¡¼ /description=ÁÈ¿¥½êºßÃÏ¡§ÅìµþÅÔ½Âë¶è¿ÀµÜÁ°£³¡Ý£³ /description=ÁÈ¿¥Âåɽ¼Ô¸ª½ñ¤­¡§Âåɽ¼èÄùÌò¼ÒĹ /description=ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§1972/04/27 /description=ÁÈ¿¥Âåɽ¼Ô̾¡§ÎëÌÚ²Ö»Ò /CN=»³ÅÄÂÀϺ /T=¹ØÇãÉôĹ /description=ÉôÌç½êºßÃÏ¡§ÅìµþÅÔ¿·½É¶èÀ¾¿·½É£µ¡Ý£µ /description=ÂåÍý¸¢ÆâÍÆ¡§ÆüËܹñÆâ¤Î1²¯±ß°Ê²¼¤Î¹ØÇã¹Ô°Ù /description=Âåɽ¸¢À©¸Â¡§1²¯±ß°Ê²¼¤ÎȯÃí¹ØÇã
Ãͤϡ¢¼«Ê¬¤Î̾Á°¤Ê¤É¡¢¼«Í³¤ËÊѹ¹¤·¤ÆÆþÎϤ·¤Æ¤â¤é¤¨¤ì¤ÐÎɤ¤¤«¤È»×¤¤¤Þ¤¹¡£

4. ÈÆÍѤξÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼¤Ç¼çÂμÔÊÌ̾¤Îɽ¼¨¤ÏÌäÂê¤Ê¤¤¤«

ÅŻҰÑǤ¾õ¤Ç¥Ç¥¸¥¿¥ë½ð̾¤µ¤ì¤¿¿½ÀÁʸ½ñ¤ä¥Ç¡¼¥¿¤Îɽ¼¨¤Ë¤Ï¡¢ÀìÍÑ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤¬Ä󶡤µ¤ì¤ë²ÄǽÀ­¤â¹â¤¤¤Ç¤¹¤¬¡¢PDF¤äWord¤Ê¤ÉÈÆÍÑ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Î¥Ç¡¼¥¿¤È¤·¤Æ¸ò´¹¤µ¤ì¤ë¤³¤È¤â¤¢¤ë¤«¤È»×¤¤¤Þ¤¹¡£OS¤ä¥Ö¥é¥¦¥¶¤ËÅëºÜ¤µ¤ì¤Æ¤¤¤ë¾ÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼¤ÇÅŻҰÑǤ¾õÍѤΥǥ¸¥¿¥ë¾ÚÌÀ½ñ¤òɽ¼¨¤µ¤»¤¿¾ì¹ç¡¢Æä˼çÂμÔÊÌ̾¤Îɽ¼¨¤ËÌäÂ꤬¤Ê¤¤¤«¡¢¤Á¤ç¤Ã¤È¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£

4.1. Windows¤Îɽ¼¨

Windows¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤Êɽ¼¨¤Ë¤Ê¤ê³µ¤ÍÌäÂê¤Ê¤µ¤½¤¦¤Ç¤¹¡£¥¹¥¯¥í¡¼¥ë¤µ¤»¤Ê¤­¤ã¤¤¤±¤Ê¤¤¤Î¤Ç²èÁü¤Ï¾¯¤·Å½¤êÉÕ¤±¤·¤Æ¤Þ¤¹¡£
attorney5_win1merge

4.2. macOS¤Îɽ¼¨

macOS¤Î¥­¡¼¥Á¥§¡¼¥ó¤ò¤Ä¤«¤Ã¤Æ¡¢¾åµ­¤ÎÊýË¡¤ÇºîÀ®¤·¤¿ÅŻҰÑǤ¾õ¾ÚÌÀ½ñ¥µ¥ó¥×¥ë¤Î¼çÂμÔÊÌ̾¤òɽ¼¨¤µ¤»¤ë¤È°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
cer-attorney-mac

4.3. Firefox¤Îɽ¼¨

Firefox¤Ç¤Ï°Ê²¼¤Î¤è¤¦¤Êɽ¼¨¤Ë¤Ê¤ê³µ¤ÍÌäÂê¤Ê¤µ¤½¤¦¤Ç¤¹¡£¥¹¥¯¥í¡¼¥ë¤µ¤»¤Ê¤­¤ã¤¤¤±¤Ê¤¤¤Î¤Ç²èÁü¤Ï¾¯¤·Å½¤êÉÕ¤±¤·¤Æ¤Þ¤¹¡£
attorney5-ff1merge

4.4. Adobe Acrobat Reader DC¤Îɽ¼¨

¥Ç¥¸¥¿¥ë½ð̾¤·¤¿PDF¤òºîÀ®¤·¡¢Adobe Acrobat Reader DC¤Çɽ¼¨¤µ¤»¤ë¤È°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£¤³¤Á¤é¤â³µ¤ÍÌäÂꤢ¤ê¤Þ¤»¤ó¡£
attorney5-pdf1

4.5. Java JCE SUN¥×¥í¥Ð¥¤¥À¤Îɽ¼¨

Java JCE¤Çɸ½à¤ÎSUN¥×¥í¥Ð¥¤¥À¤ò»È¤Ã¤Æ¾ÚÌÀ½ñ¤òÆɤ߹þ¤ß¥ª¥Ö¥¸¥§¥¯¥È¤òprintln()¤Çɽ¼¨¤µ¤»¤¿»þ¤Î¡¢¼çÂμÔÊÌ̾Éôʬ¤Îɽ¼¨¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¹¡£¤³¤Á¤é¤âÆäËÌäÂê¤Ï¤¢¤ê¤Þ¤»¤ó¡£

[4]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ OID.2.5.4.13="Âåɽ¸¢À©¸Â¡§1²¯±ß°Ê²¼¤ÎȯÃí¹ØÇã ", OID.2.5.4.13=ÂåÍý¸¢ÆâÍÆ¡§ÆüËܹñÆâ¤Î1²¯±ß°Ê²¼¤Î¹ØÇã¹Ô°Ù, OID.2.5.4.13=ÉôÌç½êºßÃÏ¡§ÅìµþÅÔ¿·½É¶èÀ¾¿·½É£µ¡Ý£µ, T=¹ØÇãÉôĹ, CN=»³ÅÄÂÀϺ, OID.2.5.4.13=ÁÈ¿¥Âåɽ¼Ô̾¡§ÎëÌÚ²Ö»Ò, OID.2.5.4.13=ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§1972/04/27, OID.2.5.4.13=ÁÈ¿¥Âåɽ¼Ô¸ª½ñ¤­¡§Âåɽ¼èÄùÌò¼ÒĹ, OID.2.5.4.13=ÁÈ¿¥½êºßÃÏ¡§ÅìµþÅÔ½Âë¶è¿ÀµÜÁ°£³¡Ý£³, O=³ô¼°²ñ¼Ò¥¢¥¤¥Ä¡¼, OID.2.5.4.97=JCN1111111111111 ]

4.6. Java JCE BouncyCastle BC¥×¥í¥Ð¥¤¥À¤Îɽ¼¨

Java JCE¤Ç¡¢¥Õ¥ê¡¼¤Çͭ̾¤Ê°Å¹æ¥é¥¤¥Ö¥é¥ê BouncyCastle¤ÎBC¥×¥í¥Ð¥¤¥À¤ò»È¤Ã¤Æ¾ÚÌÀ½ñ¤òÆɤ߹þ¤ß¥ª¥Ö¥¸¥§¥¯¥È¤òprintln()¤Çɽ¼¨¤µ¤»¤¿»þ¤Î¡¢¼çÂμÔÊÌ̾Éôʬ¤Îɽ¼¨¤Ï°Ê²¼¤ÎÄ̤ê¤Ç¤¹¡£ASN.1¥À¥ó¥×¤È¤·¤Æɽ¼¨¤µ¤ì¤ë¤À¤±¤Ç¤¹¤¬¡¢¤³¤Á¤é¤âÆäËÌäÂê¤Ï¤¢¤ê¤Þ¤»¤ó¡£

Tagged [4] DER Sequence DER Set DER Sequence ObjectIdentifier(2.5.4.97) UTF8String(JCN1111111111111) DER Set DER Sequence ObjectIdentifier(2.5.4.10) UTF8String(³ô¼°²ñ¼Ò¥¢¥¤¥Ä¡¼) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÁÈ¿¥½êºßÃÏ¡§ÅìµþÅÔ½Âë¶è¿ÀµÜÁ°£³¡Ý£³) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÁÈ¿¥Âåɽ¼Ô¸ª½ñ¤­¡§Âåɽ¼èÄùÌò¼ÒĹ) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§1972/04/27) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÁÈ¿¥Âåɽ¼Ô̾¡§ÎëÌÚ²Ö»Ò) DER Set DER Sequence ObjectIdentifier(2.5.4.3) UTF8String(»³ÅÄÂÀϺ) DER Set DER Sequence ObjectIdentifier(2.5.4.12) UTF8String(¹ØÇãÉôĹ) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÉôÌç½êºßÃÏ¡§ÅìµþÅÔ¿·½É¶èÀ¾¿·½É£µ¡Ý£µ) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÂåÍý¸¢ÆâÍÆ¡§ÆüËܹñÆâ¤Î1²¯±ß°Ê²¼¤Î¹ØÇã¹Ô°Ù) DER Set DER Sequence ObjectIdentifier(2.5.4.13) UTF8String(Âåɽ¸¢À©¸Â¡§1²¯±ß°Ê²¼¤ÎȯÃí¹ØÇã )

4.7. OpenSSL¤Îx509 -text¥³¥Þ¥ó¥É¤Ë¤è¤ëɽ¼¨

OpenSSL¤Î°Ê²¼¤Î¥³¥Þ¥ó¥É¤Ç¾ÚÌÀ½ñ¾ðÊó¤òɽ¼¨¤µ¤»¤¿¾ì¹ç¡¢

% openssl x509 -in aaa.cer -noout -text
·ë²Ì¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
X509v3 Subject Alternative Name: DirName: /2.5.4.97=JCN1111111111111 /O=\\xE6\\xA0\\xAA\\xE5\\xBC\\x8F\\xE4\\xBC\\x9A\\xE7\\xA4\\xBE \\xE3\\x82\\xA2\\xE3\\x82\\xA4\\xE3\\x83\\x84\\xE3\\x83\\xBC
ÆüËܸìÉôʬ¤Ï16¿Ê¿ôɽ¼¨¤µ¤ì¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£

4.8. ɽ¼¨·ë²Ì¥µ¥Þ¥ê

Ä´ºº¤·¤¿Ê£¿ô¤ÎÈÆÍÑ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ë¤ª¤¤¤Æ¡¢¾ÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼¤ÇÅŻҰÑǤ¾õ¤Î¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ¤òɽ¼¨¤·¤¿·ë²Ì¤Î¤Þ¤È¤á¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£ÌäÂê¤Î¤¢¤ë²Õ½ê¤òÀַϤΥ»¥ë¤Ë¤·¤Æ¤¤¤Þ¤¹¡£

macOS Windows Firefox Acrobat Java SUN Java BC OpenSSL
Æɤ߹þ¤ß ÌäÂê¤Ê¤· ÌäÂê¤Ê¤· ÌäÂê¤Ê¤· ÌäÂê¤Ê¤· ÌäÂê¤Ê¤· ÌäÂê¤Ê¤· ÌäÂê¤Ê¤·
ɽ¼¨Êø¤ì ¤Ê¤· ¤Ê¤· ¤Ê¤· ¤Ê¤· ¤Ê¤· ¤Ê¤· ¤¢¤ê(¢¨1)
stateOrProvince(ST)°À­É½¼¨ ÅÔÆ»Éܸ©/½£ S=(¢¨2) ST= st= ST= OID¤Þ¤Þ ST=
locality(L)°À­É½¼¨ ½êºßÃÏ L= L= l= L= OID¤Þ¤Þ L=
organization(O)°À­É½¼¨ ÁÈ¿¥ O= O= o= O= OID¤Þ¤Þ O=
organizationalUnit(OU)°À­É½¼¨ Éô½ð OU= OU= ou= OU= OID¤Þ¤Þ OU=
commonName(CN)°À­É½¼¨ Ä̾ΠCN= CN= cn= CN= OID¤Þ¤Þ CN=
description°À­É½¼¨ ÀâÌÀ Description= OID¤Þ¤Þ OID¤Þ¤Þ OID¤Þ¤Þ OID¤Þ¤Þ description=
title(T)°À­É½¼¨ ¥¿¥¤¥È¥ë T= OID¤Þ¤Þ title= T= OID¤Þ¤Þ title=
organizationIdentifier°À­É½¼¨ ¤½¤Î¾̾Á°(¢¨9) OID¤Þ¤Þ(¢¨3) OID¤Þ¤Þ(¢¨4) OID¤Þ¤Þ(¢¨5) OID¤Þ¤Þ(¢¨6) OID¤Þ¤Þ(¢¨7) OID¤Þ¤Þ(¢¨8)
¢¨1¡§OpenSSL¥³¥Þ¥ó¥É¤Ç¤ÏSAN¤ÎÁ´¤Æ¤ÎRDN¤Ïɽ¼¨¤µ¤ì¤Ê¤¤¡£ÆüËܸì°À­Ãͤ¬16¿Ê¿ôɽµ­¤Ç²ÄÆÉÀ­¤¬¤Ê¤¤¡£
¢¨2¡§Wiindows¤Î¤ßstateOrProvince¤ò"S="¤Î¤è¤¦¤Ë¾Êάɽµ­¤¹¤ë¡£
¢¨3¡§Windows¤ÎOIDɽµ­Îã¡ÖOID.2.5.4.97=ÃÍ¡×
¢¨4¡§Firefox¤ÎOIDɽµ­Îã¡ÖObject Identifier (2 5 4 13) = ÃÍ¡×
¢¨5¡§Adobe Acrobat Reader DC¤ÎOIDɽµ­Îã¡Ö2.5.4.13=ÃÍ¡×
¢¨6¡§Java JCE SUN¥×¥í¥Ð¥¤¥À¡¼¤ÎOIDɽµ­Îã¡ÖOID.2.5.4.97=ÃÍ¡×
¢¨7¡§Java JCE BC¥×¥í¥Ð¥¤¥À¡¼¤ÎOIDɽµ­Îã¡ÖDER Sequence ObjectIdentifier(2.5.4.13) UTF8String(ÃÍ)¡×
¢¨8¡§OpenSSL¤ÎOIDɽµ­Îã¡Ö2.5.4.97=ÃÍ¡×
¢¨9¡§macOS¤Ç¤Ï¡Ö¤½¤Î¾̾Á°¡×¤È¤Ê¤ê¸µOID¤¬²¿¤Ç¤¢¤Ã¤¿¤«¾ðÊó¤¬Ìµ¤¯¤Ê¤ë¡£

5. ÅŻҰÑǤ¾õ¤Î¼±ÊÌ̾¤Ë´Ø¤¹¤ë¹Í»¡

²òÀâ½ñ¤Ë´ð¤¤¤Æ¥µ¥ó¥×¥ë¤ÎÅŻҰÑǤ¾õ¤òȯ¹Ô¤·¤Æ¤ß¤Þ¤·¤¿¤¬¡¢¼çÂμÔ̾¡¢¼çÂμÔÊÌ̾¤Ë¤ª¤±¤ë²ÝÂê¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

5.1. °À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ

¼çÂμÔ̾(subject)¤ä¼çÂμÔÊÌ̾(subjectAltName)¤Î¼±ÊÌ̾¤Ë¤ª¤¤¤Æ¡¢ °À­¥¿¥¤¥×¤ÏITU-T X.509¤È¤·¤Æ¤Ï²¿¤Ç¤â¹½¤ï¤Ê¤¤¤¬¡¢ ɸ½àŪ¤Ê¤â¤Î¤ÏITU-T X.520¤ÇÄêµÁ¤µ¤ì¤Æ¤¤¤Æ¡¢ X.500 attirube types¤Î°ìÍ÷¤Ï¤³¤³¤Ç¤â¸«¤é¤ì¤Þ¤¹¡£ ¤¿¤À¡¢ITU-T X.520¤Ç¤Ï¡¢X.500¥Ç¥£¥ì¥¯¥È¥ê¤äLDAP¤Ç»ÈÍѲÄǽ¤Ê °À­¥¿¥¤¥×¤¬Á´¤Æ´Þ¤Þ¤ì¤Æ¤¤¤Æ¡¢Î㤨¤ÐLDAP¥¨¥ó¥È¥ê¤È¤·¤Æ¡¢ ¥æ¡¼¥¶¡¼¤Î¥Ñ¥¹¥ï¡¼¥É¤ò³ÊǼ¤¹¤ë id-at-userPassword°À­¤ä¡¢ CA¾ÚÌÀ½ñ¤ò³ÊǼ¤¹¤ë id-at-cACertificate °À­¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤¿¤È¤·¤Æ¤â¡¢ ¾ÚÌÀ½ñ¤Ç¤³¤Î°À­¥¿¥¤¥×¤ò»È¤¦¤³¤È¤Ï¾ï¼±Åª¤Ë¤Ê¤¤¤Ç¤·¤ç¤¦¡£

¤½¤³¤Ç¡¢¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Ç¾ÚÌÀ½ñ¤ò´Þ¤à¥Ç¡¼¥¿¤ò¸ò´¹¤¹¤ë¾ì¹ç¤Î¤¿¤á¤Ë¡¢ ITU-T X.509¤Ç¤Ï¡¢ÁªÂò»è¤¬¹­¤¹¤®¤Æº¤¤Ã¤Æ¤¤¤¿¤â¤Î¤ò¡¢ ÍøÍѲÄǽ¤Ê¥ª¥×¥·¥ç¥ó¤òÀ©¸Â¤¹¤ë¤¿¤á¤Î¥×¥í¥Õ¥¡¥¤¥ë¤ò RFC 5280¤È¤·¤Æ ÄêµÁ¤·¤Æ¤¤¤Þ¤¹¡£

°À­¥¿¥¤¥×¤Ë´Ø¤¹¤ëµ­½Ò¤Ï¡¢ 4.1.2.4Àá ȯ¹Ô¼Ô(Issuer)¤ÎÀá¤Ë½ñ¤«¤ì¤Æ¤ª¤ê¡¢ ¤³¤ì¤ÈƱ¤¸¥ë¡¼¥ë¤¬¼çÂμÔ̾¡¢¼çÂμÔÊÌ̾¤Ë¤âŬÍѤµ¤ì¤Þ¤¹¡£ ¥ë¡¼¥È¤·¤Æ¤Ï¡¢¼ÂÁõ¤¬½èÍý¤Þ¤¿¤Ï¼õÍý¤Ç¤­¤ë°À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ½Ò¤Ù¤é¤ì¤Æ¤¤¤Þ¤¹¡£

  • C¡¢O¡¢OU¡¢distinguishedNameQualifier¡¢ST¡¢CN¡¢serialNumber¡¢DC¤Ï¼õÍý¤Ç¤­¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤(MUST)¡£
  • L¡¢T¡¢surname¡¢givenName¡¢initials¡¢pseudonym¡¢generationQualifier¤Ï¼õÍý¤Ç¤­¤ë¤Ù¤­¤Ç¤¢¤ë(SHOULD)¡£
¤³¤ì¤é¤Ë¤Ê¤¤Â°À­¥¿¥¤¥×¤¬Á´¤¯»È¤ï¤ì¤Ê¤¤¤ï¤±¤Ç¤Ï¤Ê¤¯¡¢Î㤨¤ÐEV¾ÚÌÀ½ñ¤ÇjurisdictionOfIncorporationC(ÅÐÏ¿´É³í¹ñ)¤Ê¤É¤Î°À­¤¬»È¤ï¤ì¤Æ¤¤¤ë¤¬¡¢Ê̤Υ¬¥¤¥É¤äɸ½à¤Çµ¬Äꤷ¤Ê¤¤¸Â¤ê¤Ï¡¢¾åµ­°Ê³°¤Î°À­¥¿¥¤¥×¤ò»È¤Ã¤Æ¡¢¥×¥í¥°¥é¥à¤¬°Û¾ï½ªÎ»¤·¤¿¤ê¡¢¥¨¥é¡¼¤¬È¯À¸¤·¤¿¤È¤·¤Æ¤âʸ¶ç¤Ï¸À¤¨¤Ê¤¤¤ï¤±¤Ç¤¹¡£Áê¸ß±¿ÍÑÀ­¤ÎÌäÂ꤬ȯÀ¸¤¹¤ë¤Î¤Ç¡¢RFC 5280¤Çµ­ºÜ¤µ¤ì¤¿Â°À­¥¿¥¤¥×¤ò»È¤¦Êý¤¬°Â¿´¤«¤È»×¤¤¤Þ¤¹¡£

5.2. organizationIdentifier°À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ

organizationIdentifier°À­¥¿¥¤¥×¤Ï¡¢°ìÈ̤ˤϴë¶È¤äÁÈ¿¥¤ÎÈÖ¹æ¤òɽ¤¹¤¿¤á¤ËÍѤ¤¤é¤ì¡¢ÅŻҰÑǤ¾õ¤Ç¤Ï¡Ö¹ñÀÇÄ£¤¬»ØÄꤹ¤ëË¡¿ÍÈÖ¹æ¡×¤òµ­ºÜ¤¹¤ë¤È¤·¤Æ¤¤¤Þ¤¹¡£²¤½£¤Î¹ṉ̃ID¤Ç¤¢¤ëeIDASµ¬Â§¤ÎÅŻҾÚÌÀ½ñ¤Ç¤â¡¢organizationIdentifier¤¬»È¤ï¤ì¤Æ¤ª¤ê¡¢½ù¡¹¤Ë¿»Æ©¤·¤Æ¤¤¤¯¤Ç¤¢¤í¤¦Â°À­¤Ç¤Ï¤¢¤ê¤Þ¤¹¤¬¡¢

  • 5.1Àá¤Ç½Ò¤Ù¤¿Ä̤ꡢRFC 5280¤Ë¤Ï̵¤¤Â°À­¤Ç¤¢¤ê
  • 4.8Àá¤ÎÈÆÍѾÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼¤Ç¤âɽ¼¨¤µ¤ì¤Ê¤¤Â°À­¥¿¥¤¥×¤Ç¤¢¤ë
  • ¾¤Î¤Û¤È¤ó¤É¤Î°À­¤Ç¤Ï¡¢¡ÖÂåÍý¸¢ÆâÍÆ¡§¡×¤Î¤è¤¦¤Ê¥×¥ê¥Õ¥£¥¯¥¹¤ò»È¤Ã¤¿É½µ­¤Ë¤·¤Æ¤¤¤ë
¤Ê¤É¤Î»ö¤«¤é¡¢¤³¤Î°À­¤À¤±¤ò¡¢ÌµÍý¤Ë¸·³Ê¤ËorganizationIdentifier¤ò»È¤¦É¬Íפâ¤Ê¤«¤Ã¤¿¤Î¤Ç¤Ï¤Ê¤¤¤«¤È¤¤¤¦µ¤¤¬¤·¤Þ¤¹¡£

5.3. description°À­¥¿¥¤¥×¤Ë¤Ä¤¤¤Æ

ÅŻҰÑǤ¾õ¤Î¼çÂμÔÊÌ̾(subjectAltName)¤Ëµ­ºÜ¤µ¤ì¤ë¿¤¯¤Î°À­¤Ï¡¢ description(2.5.4.13) ¤â¤·¤¯¤Ï organizationName(2.5.4.10)¤Î¤¤¤º¤ì¤«¤Î°À­¥¿¥¤¥×¤òÍѤ¤¡¢ ¡ÖÂåÍý¸¢ÆâÍÆ¡§¡×¤Î¤è¤¦¤Ê¥×¥ê¥Õ¥£¥Ã¥¯¥¹¤òÃͤ˴ޤá¤Æµ­ºÜ¤¹¤ë¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£ »ä¤Ï¡¢ÍÍ¡¹¤ÊÊѤï¤Ã¤¿X.509¾ÚÌÀ½ñ¤ò¼ý½¸¤¹¤ë¤Î¤¬¼ñÌ£¤Ç¡¢ ¤¤¤í¤ó¤Ê¾ÚÌÀ½ñ¤ò¤³¤ì¤Þ¤Ç¸«¤Æ¤­¤Þ¤·¤¿¤¬¡¢¼±ÊÌ̾¤Ëdescription°À­¥¿¥¤¥×¤ò»ÈÍѤ·¤¿ ¾ÚÌÀ½ñ¤ò¸«¤¿¤³¤È¤¬¤¢¤ê¤Þ¤»¤ó¡£ description¤Ï°ìÈ̤ˤϡ¢LDAP¤Ê¤É¤Î¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤ª¤¤¤Æ¡¢ ¤¢¤ë¥¨¥ó¥È¥ê¤ÎÊä­¾ðÊó¤äÈ÷¹Í¾ðÊó¤ò¥á¥âŪ¤Ëµ­ºÜ¤¹¤ë¤¿¤á¤ËÍѤ¤¤ë¤Î¤¬ °ìÈÌŪ¤Ê»ÈÍÑË¡¤«¤È»×¤¤¤Þ¤¹¡£ Áê¸ß±¿ÍÑÀ­¤Î´ÑÅÀ¤«¤é¡¢¤¢¤Þ¤ê»ÈÍѤ·¤Ê¤¤Êý¤¬Îɤ«¤Ã¤¿¤Î¤Ç¤Ï¤Ê¤¤¤«¤È¹Í¤¨¤Þ¤¹¡£ ³¤³°¤ÎPKIÍ­¼±¼Ô¤â¡ÖÆüËܤϥإó¤Ê»ö¤ä¤Ã¤Á¤ã¤Ã¤Æ¤ë¤Ê¤¡¡¢¡¢¡¢¡×¤È¹Í¤¨¤ë¤ó¤¸¤ã¤Ê¤¤¤«¤È»×¤¤¤Þ¤¹¡£

5.4. OU¤ò»È¤¦»ö¤ÎÀ§Èó¤Ë¤Ä¤¤¤Æ

Á°½Ò¤Î¤è¤¦¤ËÅŻҰÑǤ¾õ¤Î¿¤¯¤Î°À­¤Ç¤Ï¡¢ ¤½¤Î°À­¤¬Ëܿͤ˵¢Â°¤¹¤ë¤â¤Î¤«¡¢ ÁÈ¿¥¤Ëµ¢Â°¤¹¤ë¤â¤Î¤«¤Ë´Ø¤ï¤é¤º¡¢ ¼±ÊÌ̾¤Î°À­¥¿¥¤¥×¤¬OU¤â¤·¤¯¤Ïdescription¤Î ¤¤¤º¤ì¤«¤ò»È¤¦¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£

°ìÈ̤ˡ¢OU¤Ï¿Í»öÉô¡¢Áí̳Éô¡¢³«È¯Éô¡¢ºÎÍѲݤȤ¤¤Ã¤¿ Éô½ð̾¤òɽ¤¹¤¿¤á¤Î°À­¤Ç¤¹¤Î¤Ç¡¢ ¼çÂμԤËɳ¤Å¤¯»¨Â¿¤Ê°À­ ¤òµ­ºÜ¤¹¤ë¤¿¤á¤Î¤Õ¤µ¤ï¤·¤¤Â°À­¥¿¥¤¥×¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£ OU¤ò»È¤Ã¤¿¾ì¹ç¤Ë¡¢Æä˰ãÏ´¶¤¬¤¢¤ëÅŻҰÑǤ¾õ¤Î°À­¤Ï¡¢ °Ê²¼¤Î¤È¤³¤í¤«¤È»×¤¤¤Þ¤¹¡£

  • °ÑǤ¼Ô¤¹¤ë¦¤ÎË¡¿Í¤Î¾¦¶ÈÅе­¤Ë¤ª¤±¤ëËÜŹ½êºßÃÏ¡§(Îã)OU=ÁÈ¿¥½êºßÃÏ¡§ËÜÄ®£³¡Ý£³
  • °ÑǤ¼Ô¤¹¤ë¦¤ÎË¡¿ÍÂåɽ¼Ô¤Î¸ª½ñ¤­¡§(Îã)OU=ÁÈ¿¥Âåɽ¼Ô¸ª½ñ¤­¡§Âåɽ¼èÄùÌò¼ÒĹ
  • °ÑǤ¼Ô¤¹¤ë¦¤ÎË¡¿ÍÂåɽ¼Ô̾¡§(Îã)OU=ÁÈ¿¥Âåɽ¼Ô̾¡§»³ÅÄÂÀϺ
  • °ÑǤ¼Ô¤¹¤ë¦¤¬¸Ä¿Í»ö¶È¼ç¤Î¾ì¹ç¡¢¤½¤ÎÀ¸Ç¯·îÆü¡§(Îã)OU=ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§1970/04/01
¼çÂμԤΰÀ­¤Ç¤¢¤ì¤Ð¡¢CN(commonName)¤ò»È¤¦¤Ù¤­¤À¤Ã¤¿¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

5.5. ¤Ç¤Ï¤É¤Î°À­¥¿¥¤¥×¤ò»È¤¦¤Î¤¬Îɤ«¤Ã¤¿¤Î¤«

°Ê¾å¤Ç¼¨¤·¤Æ¤­¤¿¤è¤¦¤Ë¡¢

  • description°À­¥¿¥¤¥×¤ÎÍøÍѤϡ¢²áµî¤Ë»ÈÍÑÎ㤬¸«Åö¤¿¤é¤ºÁê¸ß±¿ÍÑÀ­¤Î´ÑÅÀ¤«¤é¤âÌäÂ꤬¤¢¤ë¤Î¤Ç¤Ï¤Ê¤¤¤«¡£
  • OU°À­¥¿¥¤¥×¤ÎÍøÍѤÏËÜÍè¡¢Éô½ð̾¤òɽ¤¹Â°À­¤Ç¤¢¤ë¤¿¤áŬÀڤǤϤʤ¤¤Î¤Ç¤Ï¤Ê¤¤¤«¡£
¤¤¤º¤ì¤â¡¢Â¿¾¯¤Ê¤ê¤È¤âÌäÂ꤬¤¢¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ ¼çÂμԸĿͤ˵¢Â°¤¹¤ë°À­¤ÏcommonName(CN)¤ò»ÈÍѤ¹¤ë¤Î¤¬Îɤ«¤Ã¤¿¤Î¤Ç¤Ï¤Ê¤¤¤«¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

EV¾ÚÌÀ½ñ¤Î¤è¤¦¤Ë¡¢¸Ä¡¹¤Î°À­¤ËÂФ·¡¢¸ÄÊ̤ΰÀ­¥¿¥¤¥×¡¢Î㤨¤Ð¡ÖÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡×¤ËÂФ·¤Æ¡Ö0.2.440.100145...23¡×¤òÄêµÁ¤¹¤ëÊýË¡¤â¤¢¤Ã¤¿¤ï¤±¤Ç¤¹¤¬¡¢¤½¤Î¤è¤¦¤ÊÆüì¤Ê°À­¤ÏÈÆÍѤξÚÌÀ½ñ¥Ó¥å¡¼¥ï¡¼¤Ç¤Ïɽ¼¨¤µ¤ì¤º»ëǧÀ­¤¬°­¤¤¤Î¤Ç¡¢description¤äOU¤ò»È¤¤¡¢¡ÖÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¡§¡×¤Î¤è¤¦¤Ê¥×¥ê¥Õ¥£¥¯¥¹¤òÍѤ¤¤Æɽµ­¤¹¤ë¤Î¤Ï¡¢¤½¤ì¤Û¤É°­¤¯¤Ê¤¤ÊýË¡¤À¤Ã¤¿¤Î¤«¤Ê¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

5.6. »÷¤¿ÆüËܸìʸ»ú¤ÎÌäÂê

¥×¥ê¥Õ¥£¥¯¥¹¤Ë¡ÖÁÈ¿¥½êºßÃÏ¡§¡×¤Î¤è¤¦¤Ë¥³¥í¥ó¡Ö¡§¡×¤¬»È¤ï¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢ ²òÀâ½ñ¤Î¥Ú¡¼¥¸¤Ç¤ÏÁ´³Ñʸ»ú¤ò»È¤¦»ö¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¡£É½µ­¤ÎÍɤ餮¤¬¤Ê¤¤¤è¤¦¤Ë¡¢¥×¥ê¥Õ¥£¥¯¥¹¤ÏUTF-8¤Ç¤É¤Î¤è¤¦¤Ê¥Ð¥¤¥ÈÎó(¥ª¥¯¥Æ¥Ã¥ÈÎó)¤Ë¤Ê¤ë¤Î¤«¡¢ÌÀµ­¤·¤Æ¤ª¤¯¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

¤Þ¤¿¡¢¤¢¤ëʸ»ú¤È°Û¤Ê¤ëʸ»ú¡¢Èó¾ï¤Ë¤Ë¤¿·Á¤Îʸ»ú¤¬¥Ð¥¤¥ÈÎó¾å(=Unicode¥³¡¼¥É¥Ý¥¤¥ó¥È¾å)Ê̤Îʸ»ú¤Ë¤µ¤ì¤Æ¤·¤Þ¤¦¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£¤³¤ì¤ò¹¶·â¤Ë»È¤Ã¤¿¾ì¹ç¥Û¥â¥°¥é¥Õ¹¶·â¤È¸Æ¤Ð¤ì¤Æ¤ª¤ê¡¢¤³¤ì¤òÉÔÀµ¤Ê¾ÚÌÀ½ñ¤Îȯ¹Ô¤Ë»È¤ï¤ì¤Æ¤·¤Þ¤¦¤«¤â¤·¤ì¤Þ¤»¤ó¡£Î㤨¤Ð¡¢²¼¤Î¡ÖÆü¡×ʸ»ú¤Ï·Á¤¬»÷¤Æ¤¤¤Þ¤¹¤¬Ê̤Îʸ»ú¤Ç¤¹¡£

ÆüÌî»Ô (Æü=U+65E5 Àµ¤·¤¤)
Û©Ìî»Ô (Û©=U+66F0)

ÆüËÜ¡¢Ãæ¹ñ¡¢´Ú¹ñ¤Ç»È¤ï¤ì¤ëʸ»ú¤Ç¤³¤Î¤è¤¦¤Ê»÷¤¿¤è¤¦¤Ê·Á¤Ç¡¢°Û¤Ê¤ëʸ»ú¤Ï¤¢¤ë¤è¤¦¤Ç¡¢ÅŻҰÑǤ¾õ¤Ë¤ª¤¤¤Æ¤Ï²òÀâ½ñÊÌɽ¤Ë

ÆüËܸì¤Çµ­ºÜ¤¹¤ë¾ì¹ç¡¢JISÂ裱¿å½à¡¦Â裲¿å½à¡¢Êä½õ´Á»ú°Ê³°¤Îʸ»ú¤Ï¡¢ÂåÂØʸ»ú¤ËÊÑ´¹¤¹¤ë¤³¤È¡£¤³¤Î¤È¤­¡¢ÂåÂØʸ»ú»ÅÍÍ°ÌÃÖ¾ðÊó¤ò¾ÚÌÀ½ñ¤ËÉÕÍ¿¤¹¤ë¤³¤È¤¬Ë¾¤Þ¤·¤¤¡£
¤Èµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢¾åµ­¤Î¡ÖÆü¡×¤âÀµ¤·¤¤¡ÖÆü¡×¤ÇÅý°ì¤µ¤ì¤ë¤è¤¦¤ËÂåÂØʸ»ú¤ÎÊÑ´¹¾ðÊó¤¬Ä󶡤µ¤ì¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¡£Ç§¾Ú¶É¤Ï¡ÖJISÂ裱¿å½à¡¦Â裲¿å½à¡¢Êä½õ´Á»ú¡×¤ÎÈÏ°ÏÆâ¤Ç¤¢¤ë¤«¤Î³Îǧ¤¬É¬Íפˤʤê¤Þ¤¹¤Í¡£

¥¢¥Ñ¡¼¥È¤ä¥Þ¥ó¥·¥ç¥ó¤Î̾¾Î¤Ç¥í¡¼¥Þ¿ô»ú(IVÅù)¤¬»È¤ï¤ì¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¤¬¡¢¤³¤ì¤Ï³ÈÄ¥´Á»ú¤È¤Ê¤ë¤Î¤ÇÃí°Õ¤¬É¬Íפǡ¢¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È¤Çɽµ­¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£(¡ÖI¡×+¡ÖV¡×=¡ÖIV(Æóʸ»ú)¡×)

5.7. ¤½¤Î¾¡¢µ­ºÜÎã¤Ë¤ª¤±¤ëºÙ¤«¤¤²ÝÂê

²òÀâ½ñÊÌɽ¤Îµ­ºÜÎã¤Ç¡¢Â¾¤Ë¾¯¤·µ¤¤Ë¤Ê¤Ã¤¿¤È¤³¤í¤ò¤Þ¤È¤á¤Æ¤ª¤­¤Þ¤¹¡£

  • CRLDistributionPoints¤Îµ­ºÜÎ㤬CRL¤ò»²¾È¤·¤Æ¤ª¤é¤ºHTML¤Ø¤ÎURL¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£*.crl ¤Î¤è¤¦¤ËÀµ¤·¤¤³ÈÄ¥»Ò¤Ë¤¹¤ë¤Î¤¬Îɤ¤¤«¤È»×¤¤¤Þ¤¹¡£
  • ÁÈ¿¥Âåɽ¼ÔÀ¸Ç¯·îÆü¤¬¡Öyyyy/mm/dd¡×¤È¤Ê¤Ã¤Æ¤¤¤ë¤¬¡¢¥¹¥é¥Ã¥·¥å"/"¤ÏOpenSSL¤Ç¤Î¥Ç¥£¥ì¥¯¥È¥ê̾ɽµ­¤ÈÁêÀ­¤¬°­¤¤¤Î¤Ç̵¤¤Êý¤¬¤è¤«¤Ã¤¿¤Ç¤·¤ç¤¦¡£
  • µ­ºÜÎã¤Ï¡¢¤É¤³¤Ë²¿¤¬µ­ºÜ¤µ¤ì¤Æ¤¤¤ë¤Î¤«¥Ð¥é¥Ð¥é¤Ç¸«¿É¤¯¡¢¤Á¤ã¤ó¤È¾ÚÌÀ½ñ¥×¥í¥Õ¥¡¥¤¥ë¤Î¹½Â¤¤Çµ­ºÜ¤¹¤ë¤Î¤¬Îɤ«¤Ã¤¿¤«¤Ê¤È»×¤¤¤Þ¤¹¡£°ìÉô¡¢¥¢¥ë¥´¥ê¥º¥à¤ä¥·¥ê¥¢¥ë¤Ê¤É¥×¥í¥Õ¥¡¥¤¥ë¤Î¤ß¤Ëµ­ºÜ¤¹¤Ù¤­¾ðÊó¤âµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢º®Í𤷤䤹¤¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£°Ê²¼¤Î¤è¤¦¤Ê¥×¥í¥Õ¥¡¥¤¥ë¤Î´ðËܹ½Â¤¤ò¼¨¤¹¤È¤ï¤«¤ê¤ä¤¹¤«¤Ã¤¿¤«¤È»×¤¤¤Þ¤¹¡£
    ¥Õ¥£¡¼¥ë¥É/³Èĥ̾ÆâÍÆ
    ȯ¹Ô¼Ô̾ ÅŻҰÑǤ¾õ¼è°·¥µ¡¼¥Ó¥¹(=ȯ¹Ô¼Ô)¤Î±Ñ¸ì̾¾Î
    Í­¸ú´ü´Ö °ÑǤ¤µ¤ì¤ë´ü´Ö
    ¼çÂμÔ̾ (ÉôŤµ¤óÅù)¼õǤ¼Ô¤Ë´Ø¤¹¤ë¼çÍפʱѸì¾ðÊó(»á̾¡¢½êºßÃÏÅù)
    ȯ¹Ô¼ÔÊÌ̾ ÅŻҰÑǤ¾õ¼è°·¥µ¡¼¥Ó¥¹(=ȯ¹Ô¼Ô)¤ÎÆüËܸì̾¾Î
    ¼çÂμÔÊÌ̾ ¡¦(ÉôŤµ¤óÅù)¼õǤ¼Ô¤Ë´Ø¤¹¤ëÆüËܸì¤Î¾ðÊó
    ¡¦(¼ÒŤµ¤óÅù)°ÑǤ¼Ô¤Ë´Ø¤¹¤ëÆüËܸì¤Î¾ðÊó
    ¡¦(ÉôŤµ¤ó¤Î¸¢¸ÂÈÏ°ÏÅù)ÂåÍý¸¢¤Î¾ðÊó

¤Ê¤ó¤«¡¢Ä¹¡¹¤È¼è¤êα¤á¤â¤Ê¤¤Ïäò½ñ¤¤¤Á¤ã¤Ã¤Æ¤´¤á¤ó¤Ê¤µ¤¤¤Í¡£

ºÇ¶á¤Î¾ÚÌÀ½ñ¤ÎÏÃÂê(2): CloudFlare DNS 1.1.1.1¥µ¥¤¥È¤ÎIPv6¾ÚÌÀ½ñ

º£Æü¤â¡¢¾ÚÌÀ½ñ¥Ï¥ó¥¿¡¼¥Í¥¿¤ÎÂèÆóÃƤȤ¤¤¦¤³¤È¤Ç¡¢¡¢¡¢

4·î1Æü¤Ë¸ø³«¤Ë¤Ê¤Ã¤¿APNIC¤ÈCloudFlare¤¬Ä󶡤¹¤ë¡¢¥ì¥¹¥Ý¥ó¥¹¤¬Â®¤¯¤Æ¡¢¥×¥é¥¤¥Ð¥·¡¼¤ËÇÛθ¤·¤¿±½¤Î1.1.1.1¤È¤¤¤¦¥Ñ¥Ö¥ê¥Ã¥¯DNS¥µ¡¼¥Ó¥¹¤¬ÍøÍѤǤ­¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤·¤¿¡£DNS¥µ¡¼¥Ð¡¼¤Ï¡¢ÄÌ¿®¤¬°Å¹æ²½¤µ¤ì¤Æ¤¤¤Æ¤â¡¢¤É¤ÎIP¤«¤é¤É¤ÎIP¤Ë¥¢¥¯¥»¥¹¤·¤¿¤«¤È¤¤¤¦µ­Ï¿¤¬»Ä¤ë¤Î¤Ç¡¢¤½¤ì¤ò¥¿¡¼¥²¥Æ¥£¥ó¥°¹­¹ð¤Ê¤É¤Ë»È¤Ã¤¿¤ê¤¹¤ë¤½¤¦¤Ç¤¹¡£¤³¤ÎDNS¥µ¡¼¥Ó¥¹¤Ï¡¢¥×¥é¥¤¥Ð¥·¡¼¤ËÇÛθ¤·¤Æ¥í¥°¤ÎÊݸ´ü´Ö¤ò1½µ´Ö¤È¤·¡¢¹­¹ð¤Ê¤É¤Ë»È¤ï¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¡£

¤³¤ó¤Êµ­»ö¸«¤Á¤ã¤¦¤ÈÄÌ¿®Á´ÂΤÇÁ᤯¤Ê¤ë¤Î¤«¤É¤¦¤«¤Ï¤è¤¯¤ï¤«¤é¤Ê¤¤¤Ç¤¹¤Í¡£¤Ç¡¢¤³¤Î¥µ¡¼¥Ó¥¹¤Î¸ø¼°¾Ò²ð¥µ¥¤¥Èhttps://1.1.1.1/¤Ê¤ó¤Ç¤¹¤¬¡¢FQDN¤Ç¤Ê¤¯¡¢IP¥¢¥É¥ì¥¹¤Çȯ¹Ô¤·¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¡£²¿¤ä¤é¤ª¤â¤·¤í¤½¤¦¤¸¤ã¤Ê¤¤¤Ç¤¹¤«¡£Áᮡ¢¾ÚÌÀ½ñ¤ò¥À¥¦¥ó¥í¡¼¥É¤·¤Æ¤ß¤Æ¡¢ÆâÍƤò¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£

$ openssl x509 -in ip1.1.1.1.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 05:6c:de:b4:14:65:ff:27:07:16:c0:6e:91:16:2e:19 Signature Algorithm: <font color=¡Èorange¡É>ecdsa-with-SHA256</font> Issuer: C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA Validity Not Before: Mar 30 00:00:00 2018 GMT Not After : Mar 25 12:00:00 2020 GMT Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=*.cloudflare-dns.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:b2:45:0b:31:ac:50:63:ce:21:e6:7c:34:23:1a: c5:c1:53:45:96:97:7a:31:87:bb:e0:ea:1d:95:f5: ff:25:04:ca:75:f0:f6:3f:b5:df:51:e9:5b:c9:3d: ad:b4:03:05:73:20:92:3e:74:be:8e:4b:1b:e2:68: 86:44:6e:62:bb ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F X509v3 Subject Key Identifier: DF:97:4D:E5:43:B3:B0:41:A7:42:F2:90:CF:89:7F:AE:12:57:84:E1 X509v3 Subject Alternative Name: DNS:*.cloudflare-dns.com, IP Address:1.1.1.1, IP Address:1.0.0.1, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/ssca-ecc-g1.crl Full Name: URI:http://crl4.digicert.com/ssca-ecc-g1.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: https://www.digicert.com/CPS Policy: 2.23.140.1.2.2 Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/ DigiCertECCSecureServerCA.crt X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:8e:8c:b2:d8:e8:21:d6:2d:7f:2a:1f:7e:a6: c3:1c:d4:e0:a1:95:02:2f:40:5e:80:92:88:d9:4b:cc:a5:89: aa:fa:9b:ca:b9:9e:a0:b7:a9:ed:21:1d:1d:1f:13:1c:0b:02: 30:2e:79:64:67:1d:7e:10:27:d9:68:a8:c8:6c:3e:4d:cd:07: 40:ac:d2:64:ad:b0:d0:cd:1b:af:c3:a4:26:30:ed:79:a3:a0: 6d:f2:d4:b4:bb:66:46:59:9a:a3:67:d9:0f
¤³¤Î¾ÚÌÀ½ñ¤ÎÆÃħ¤Ï¤³¤ó¤Ê¤È¤³¡§
  • DigiCert¤¬È¯¹Ô¤·¤Æ¤¤¤ë
  • Âʱ߶ÊÀþ(ECC)¤Î¸ø³«¸°¾ÚÌÀ½ñ
  • ¼çÂμÔÊÌ̾(subjectAltName)¤ËIPv4¥¢¥É¥ì¥¹¤ÈIPv6¥¢¥É¥ì¥¹¤¬µ­ºÜ¤µ¤ì¤Æ¤¤¤ë
¤¤¤ä¡Á¡Á¡Á¡¢¤¹¤´¤¤¤Ç¤¹¤Í¡£¾ÚÌÀ½ñ¥Ï¥ó¥¿¡¼¤Ê¤Î¤Ç¤¤¤í¤¤¤í¾ÚÌÀ½ñ¤òõ¤·¤Æ¸«¤Æ¤Þ¤¹¤±¤É¡¢IPv6¥¢¥É¥ì¥¹¸þ¤±¤Î¥×¥é¥¤¥Ù¡¼¥È¤¸¤ã¤Ê¤¤¾ÚÌÀ½ñ¤ò½é¤á¤Æ¸«¤Þ¤·¤¿¤è¡£¤³¤ì¤Ï¡¢Áᮥ³¥ì¥¯¥·¥ç¥óÂоݤǤ¹¤è¤Ã¡ª¡ª¡ª

ÀèÆü¡¢¥Ç¡¼¥¿ÄÌ¿®¶¨²ñ¤Î¥»¥ß¥Ê¡¼¤ÇÁí̳¾Ê¤ÎÊý¤Î¹Ö±é¤òÇÒÄ°¤·¤¿¤ó¤Ç¤¹¤¬¡¢ ¡ÖiPhone¤È¤«¥¹¥Þ¥Û¤Î¤ª¤«¤²¤ÇIPv6¤Ã¤ÆËÜÅö¤ËÉáµÚ¤·¤Á¤ã¤Ã¤¿¡£¡×¤È¶Ä¤Ã¤Æ¤¤¤Þ¤·¤¿¡£ ¥Û¥ó¥È¡¢¤½¤ÎÄ̤ê¤Ê¤ó¤Ç¤¹¤Í¤§¡£ÆüËܤ«¤éGoogle¤Ø¤Î¥¢¥¯¥»¥¹¤Ï17%¤¬IPv6¤Ê¤ó¤À¤½¤¦¤Ç¤¹¡£ Apple iOS¤Ç¤Ï¡¢IPv4¤À¤È(¤ï¤¶¤È¡©)Ãٱ䤵¤»¤ë»ÅÁȤߤ¬Æþ¤ë¤½¤¦¤Ç¡¢º£¸å¡¢IPv6¤Ø¤Î°Ü¹Ô¤¬²Ã®¤µ¤ì¤ë¤À¤í¤¦¤È¤Î»ö¤Ç¤·¤¿¡£

¼Â¤Ï¡¢¼ñÌ£¤Çºî¤Ã¤¿jsrsasign¤È¤¤¤¦JavaScript¼ÂÁõ¤Î°Å¹æ/PKI´ØÏ¢¥é¥¤¥Ö¥é¥ê¤ò¸ø³«¤·¤Æ¤¤¤ë¤ó¤Ç¤¹¤¬¡¢¤è¤¯¹Í¤¨¤Æ¤ß¤¿¤éIPv6Âбþ¤·¤Æ¤Ê¤«¤Ã¤¿¤ó¤Ç¤¹¤è¡£¤³¤ê¤ã¥Þ¥º¥¤¤Ê¤¡¡¢¡¢¡¢¤È¡£Áᮡ¢Âбþ¤µ¤»¤Æ¤ß¤Þ¤·¤¿¡£

ºÇ¸å¤Î¥µ¥ó¥×¥ë¤Ï¤¤¤í¤ó¤Ê¾ÚÌÀ½ñ¤ò´Êñ¤Ëºî¤ì¤ë¤Î¤Ç¡¢Í·¤ó¤Ç¤ä¤Ã¤Æ¤¯¤À¤µ¤¤¡£ ¤½¤¦¤¤¤¦°ÕÌ£¤Ç¤ÏOpenSSL¤Î¾ÚÌÀ½ñ¤Îɽ¼¨¤Ï
IP Address:2606:4700:4700:0:0:0:0:1001
¤Î¤è¤¦¤Ê´¶¤¸¤ÇRFC 5952¤ÇÀµµ¬²½¤µ¤ì¤Æ¤¤¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¡¢°ì°Õ¤¸¤ã¤Ê¤¤É½µ­¤Î¤ä¤Ä¤Ê¤ó¤Ç¤¹¤Í¤§¡£Àµµ¬²½¤·¤¿¤é¤³¤¦¤Ê¤ê¤Þ¤¹¤è¤Í¡£
IP Address:2606:4700:4700::1001
RFC 5952¤Ê¤ó¤ÆÃΤé¤Ê¤«¤Ã¤¿¤ó¤Ç¤¹¤¬¡¢JPNIC¤µ¤ó¤Î¡ÖRFC5952-IPv6¥¢¥É¥ì¥¹¤Î¿ä¾©É½µ­ IPv6¥¢¥É¥ì¥¹É½µ­¤Î½ÀÆðÀ­¤¬µ¯¤³¤¹ÌäÂê¤ÈRFC5952¤Î²òÀâ¡×¤ò¸«¤ÆÊÙ¶¯¤µ¤»¤Æ¤â¤é¤¤¤Þ¤·¤¿¡£¤¢¤ê¤¬¤¿¤ä¡£¤¢¤ê¤¬¤¿¤ä¡£

¤Æ¤Ê¤ï¤±¤Ç¡¢º£Æü¤â¥Ê¥¤¥¹¤Ê¾ÚÌÀ½ñ¤ò¥²¥Ã¥È¤À¤¼¡£º£Æü¤Ï¤³¤ÎÊդǡ¢¡¢¡¢

HPKP(HTTP Public Key Pinning)¸ø³«¸°¥Ô¥Ë¥ó¥°¤Ë¤Ä¤¤¤Æ¹Í¤¨¤ë

¤â¤¯¤¸
1. ¤Ï¤¸¤á¤Ë
2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê
3. HPKP¤Î»ÅÁȤß
4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡
¡¡4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡
¡¡4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò
¡¡4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡
¡¡4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¾Á°¤Î¥¤¥±¤Æ¤Ê¤µ
¡¡4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ
¡¡4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤
¡¡4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê
¡¡4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë
5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«
6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«
7. ¤ª¤ï¤ê¤Ë
8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯
9. Äɵ­
¡¡9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·
¡¡9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

1. ¤Ï¤¸¤á¤Ë

HPKP¤È¤ÏHTTP Public Key Pinning¤Îά¤Ç¡¢RFC 7469 Public Key Pinning Extension for HTTP¤Çµ¬Äꤵ¤ì¤Æ¤ª¤ê¡¢ ¥¦¥§¥Ö¥µ¥¤¥È¤Î¥ª¡¼¥Ê¡¼¤¬¡¢¥Ë¥»¤Î¥µ¥¤¥È¤Ç°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤Ê¤¤¤è¤¦¤ËÊݸ¤ë¤¿¤á¤Î»ÅÁȤߤǤ¹¡£

ÆüËܸì²òÀâ¤Ï¾¯¤Ê¤¤¤Ç¤¹¤¬¡¢·É°¦¤¹¤ë jovi0608¤µ¤ó¤Îµ­»ö¤äJxck¤µ¤ó¤Îµ­»ö¤Ê¤É¤Ç¤â²òÀ⤵¤ì¤Æ¤¤¤Þ¤¹¡£

»ä¤â3ǯ¤Á¤ç¤¤Á°¡¢IPA¤Î¥¬¥¤¥É¤ò½ñ¤¤¤Æ¤¤¤¿Á°¤¢¤¿¤ê¤«¤é¡¢HPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¡¢²¿¤«¥Ö¥í¥°Åù¤Ç½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤Î¤Ç¤¹¤¬¡¢¤Ê¤ó¤«Æüº¢¤Î¥Ø¥ó¤Ê¤³¤È¤ËË»»¦¤µ¤ì¤Æ¡¢¤³¤ì¤Þ¤Ç¤Þ¤È¤á¤Æ½ñ¤¯¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£(¤Ê¤ó¤«½ñ¤³¤¦¤È»×¤Ã¤Æ¤¿¤éjovi¤µ¤ó¤Î¤¬½Ð¤Á¤ã¤Ã¤Æ¡¢¤Þ¤¡¤¤¤¤¤«¤È»×¤Ã¤Á¤ã¤Ã¤¿¤Ã¤Æ¤¤¤¦¤Î¤â¤¢¤ê¤Þ¤¹w) IPA¤Î¥¬¥¤¥É¤Î»þ¤â½ñ¤«¤»¤Æ¤â¤é¤ª¤¦¤È¤·¤¿¤ó¤Ç¤¹¤¬¡¢¤Ê¤ó¤À¤«Âç¿Í¤Î»ö¾ð¤ÇÄɲ䵤»¤Æ¤â¤é¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¤Ç¤·¤¿¡£¤È¤Û¤Û¡£

º£²ó¤Ï¡¢HPKP¤È¤Ï²¿¤«¤È¤¤¤Ã¤¿´ðËÜŪ¤Ê¤³¤È¤Ï¡¢Â¾¤ÎÊý¤Î¥Ö¥í¥°¤Ë¾ù¤ë¤È¤·¤Æ¡¢HPKP¤Î¸½¾õ¤äHPKP¤Î±¿ÍѾå¤Î²ÝÂê¤Ë¤Ä¤¤¤Æ¥Õ¥©¡¼¥«¥¹¤·¤Æ½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£Ä¹¤¯¤Ê¤ê¤½¤¦¤Ç¤¹¤¬¡¢¤´¤á¤ó¤Ê¤µ¤¤¤Í¡£

·ëÏÀ¤«¤é¸À¤¨¤Ð¡¢ËÜÈÖ¥µ¥¤¥È¤Ç°Â°×¤ËHPKP¤ò»È¤¦¤Î¤Ï¤ä¤á¤¿Êý¤¬¤¤¤¤¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£¤½¤ì¤Ï¡¢HPKP¤Î»ÅÍͼ«ÂΤ¬±¿ÍѤò¤·¤Ã¤«¤ê¹Í¤¨¤ÆÀ߷פµ¤ì¤Æ¤ª¤é¤º¡¢°ìÈÌŪ¤Ê¥µ¥¤¥È¤Ç¤ÏÂ礷¤¿¥»¥­¥å¥ê¥Æ¥£¾å¤Î¸ú²Ì¤¬Ìµ¤¤³ä¤Ë¡¢Ä¹´ü¤Î±¿ÍѤǥµ¡¼¥Ó¥¹¤òÄ󶡤Ǥ­¤Ê¤¯¤Ê¤ë´ü´Ö¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤¬¹â¤¹¤®¤ë¤·¡¢¾ÚÌÀ½ñ¤Î¥³¥¹¥È¤â;·×¤Ë¤«¤«¤ë¤«¤é¤Ç¤¹¡£

¤ª¤½¤é¤¯¡¢HPKP¤Î±¿ÍѤˤĤ¤¤Æ¿¼¤¯Æͤùþ¤ó¤Ç¤«¤¤¤¿¡¢À¤³¦¤Ç¤Ï½é¤á¤Æ¤Î²òÀâ»ñÎÁ¤«¤Ê¤È»×¤¤¤Þ¤¹¡£¤´¾ÐǼ¤¯¤À¤µ¤¤w

2. HPKP¤¬À¸¤Þ¤ì¤¿ÇØ·Ê

2011ǯº¢¤«¤é¡¢Ç§¾Ú¶É¤òÂоݤˤ·¤¿¥µ¥¤¥Ð¡¼¹¶·â¤ä¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¤Ê¤É¤Ç¡¢¹¶·â¤ËÍøÍѤ·¤ä¤¹¤¤Google¤äFacebook¤È¤¤¤Ã¤¿Í­Ì¾¥µ¥¤¥È¸þ¤±¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ(*.google.comÅù)¤ò¼èÆÀ¤µ¤ì¤Æ¤·¤Þ¤¦¤È¤¤¤¦»ö·ï¤¬Áý¤¨¤Æ¤­¤Þ¤·¤¿¡£Google¤òÅܤ餻¤Á¤ã¤Ã¤¿¤Î¤Ï2011ǯ¤Î¥ª¥é¥ó¥À¤Îǧ¾Ú¶ÉDigiNotar¤¬ÉÔÀµ¿¯Æþ¤ò¼õ¤±¡¢*.google.com¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¡¢¥¤¥é¥ó¤Î¥×¥í¥Ð¥¤¥À¤ÎÅðÄ°¤ä¹¶·â¤Ë»È¤ï¤ì¤¿¤È¤¤¤¦»ö·ï¤¬¤¢¤ê¤Þ¤·¤¿¡£
hpkp-digi
¤³¤Î¤è¤¦¤Ê»ö·ï¤òËɤ°¤¿¤á¤Ë¤Ï¡¢¥¦¥§¥Ö¥µ¥¤¥È¤ËÂФ·¤Æ¡¢¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤¿¾ì¹ç¤Ë¡¢·Ù¹ð¤òȯ¤¹¤ë»ÅÁȤߤ¬É¬ÍפǤ¹¡£¤½¤³¤Ç³«È¯¤µ¤ì¤¿¤Î¤¬¡¢HPKP¤Ç¤¹¡£HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Î°ìÃפò³Îǧ¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤Î°Õ¿Þ¤·¤¿¾ÚÌÀ½ñ¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
hpkp-hpkp1
jovi¤µ¤ó¤Î¥Ö¥í¥°¤Î1¾Ï¤ÇÇطʤȻÅÁȤߤò¤ï¤«¤ê¤ä¤¹¤¯²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤Á¤é¤â¤´Í÷失¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

3. HPKP¤Î»ÅÁȤß

HPKP¤Î¼ÂÁõÊýË¡¤Ë¤Ï2¤Ä¤ÎÊýË¡¤¬¤¢¤ê¤Þ¤¹¡£

  • 1) Google¡¢Facebook¡¢Twitter¤Ê¤É¤Îͭ̾¥µ¥¤¥È¸þ¤±¤Î¡¢Chrome¡¢Firefox¤Ê¤É¥Ö¥é¥¦¥¶¤ËÁȤ߹þ¤Þ¤ì¤¿¥Ô¥ó¤Î¥ê¥¹¥È(Preloaded Known Pinned Host List)¤È¾È¹ç¤¹¤ëÊýË¡
  • 2) HTTPS¤ÇÄÌ¿®¤¹¤ëºÝ¤Ë¡¢¥µ¡¼¥Ð¡¼¤«¤é¥Ô¥ó¾ðÊó¤ÎHTTP¥Ø¥Ã¥À¤ò¼èÆÀ¤·¡¢¤½¤ì¤ò¥Ö¥é¥¦¥¶¤ËÊݴɤ·¤Æ¤ª¤­¡¢°Ê¹ß¤ÎÄÌ¿®¤Ç¾È¹ç¤Ë»È¤¦ÊýË¡
1) ¤ÎÊýË¡¤Ï¡¢¥Ö¥é¥¦¥¶¤òºÇ¿·¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Ê¤é¤Ð²¿¤âÀßÄꤷ¤Ê¤¯¤Æ¤â¡¢Í­Ì¾¤Ê¥µ¥¤¥È¤Ë¤Ä¤¤¤Æ¤ÏHPKP¤ò»È¤Ã¤Æ°ÂÁ´¤ËÀܳ¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£º£²ó¤Îµ­»ö¤ÇµÄÏÀ¤·¤¿¤¤¤Î¤Ï2)¤Î¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤¬ÀßÄꤹ¤ë¾ì¹ç¤Ë¤Ä¤¤¤Æ¤Ê¤Î¤Ç¡¢2)¤Î»ÅÁȤߤˤĤ¤¤ÆÀâÌÀ¤·¤Þ¤¹¡£
hpkp-sethead
¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËÉÔÀµ¤Ê¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ËÀܳ¤µ¤»¤Ê¤¤¤¿¤á¤ÎHPKP HTTP¥Ø¥Ã¥À¤òÀßÄꤹ¤ë¤Î¤Ç¤¹¤¬¡¢¤³¤ì¤Ï¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄê¤Ç»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¤«¤éSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Þ¤Ç¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¡£HTTP¥Ø¥Ã¥À¤È¤½¤ÎÃͤνñ¼°¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£
Public-Key-Pins: \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤«¤ÎSHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡pin-sha256="¥Á¥§¡¼¥óÃæ¤Î¸ø³«¸°¤Î¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤SHA256¥Ï¥Ã¥·¥åÃͤÎBase64"; \ ¡¡¡¡[pin-sha256="¤½¤Î¾¥Ï¥Ã¥·¥åÃÍ1"; ...; ] \ ¡¡¡¡max-age=¥Ö¥é¥¦¥¶¤Ë¤³¤ÎHPKP¥Ø¥Ã¥À¤¬Êݴɤµ¤ì¤ëÉÿô; \ ¡¡¡¡[includeSubDomain;] \¡¡¡¡¡¡¡¡¥µ¥Ö¥É¥á¥¤¥ó(example.com¤Ê¤ésub.example.com)¤âHPKP¤ÎÂоݤˤ¹¤ë¤« ¡¡¡¡[report-uri="JSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤¬POST¤µ¤ì¤ëURL"; ] [...]¤Ï¥ª¥×¥·¥ç¥ó
  • pin-sha256¤Ï¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤ò¸µ¤ËÀßÄꤷ¤Þ¤¹¤¬¡¢¤½¤ÎÀßÄêÊýË¡¤ä¹Í»¡¤Ë¤Ä¤¤¤Æ¤Ï¸å¤Ç½Ò¤Ù¤Þ¤¹¡£
  • max-age¤ÎÊݸ´ü´Ö¤ÏRFC¤Î4.1Àá¤Ç¹Í»¡¤·¤Æ¤ª¤ê60Æü(=5184000ÉÃ)¤¬Îɤ¤¤Î¤Ç¤Ï¡©¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¹Í»¡¤â¸å¤Ç½Ò¤Ù¤µ¤»¤Æ²¼¤µ¤¤¡£
  • includeSubDmain¤Ï¡¢¥µ¥Ö¥É¥á¥¤¥ó¤Þ¤Ç´Þ¤á¤ë¤«¡¢Î㤨¤Ð example.com ¤ËHPKP¤òÀßÄꤷ¤¿¤é¡¢sub1.example.com¤â¡¢www1.sub2.example.com¤âHPKP¤ÎÂоݤˤ¹¤ë¤È¤¤¤¦¥Õ¥é¥°¤Ç¤¹¡£¸½»þÅÀ¤Ç»ý¤Ã¤Æ¤¤¤Ê¤¤¤Ê¤é°Â°×¤ËÀßÄꤷ¤Ê¤¤Êý¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£
  • HPKP¤Ï¡¢CSP¤Ê¤É¤ÈƱÍͤˤ˥֥饦¥¶Â¦¤Ç¸¡¾Ú¤¹¤ë¤Î¤Ç¡¢¥µ¡¼¥Ð¡¼Â¦¤Ë¤Ï¥¨¥é¡¼¸¶°ø¤¬ÇÄ°®¤Ç¤­¤ºº¤¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£report-uri¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÇHPKP¤Î¥¨¥é¡¼¤¬È¯À¸¤·¤¿ºÝ¤Ë¡¢»ØÄꤷ¤¿URL¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ËJSON·Á¼°¤Î¥¨¥é¡¼¥ì¥Ý¡¼¥È¤òPOST¤¹¤ë¤³¤È¤ÇÁ÷¿®¤·¤Þ¤¹¤Î¤Ç¡¢ÀßÄê¾å¤ÎÌäÂê¤òÃΤë¤Î¤ËÌòΩ¤Ä¤«¤â¤·¤ì¤Þ¤»¤ó¡£Jxck¤µ¤ó¤Î¥Ö¥í¥°¤ÇÀßÄê¤ò»î¤·¤Æ¤ß¤¿¤È¤¤¤¦¾Ü¤·¤¤Êó¹ð¤¬¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¤´Í÷¤Ë¤Ê¤ë¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£¥Ö¥í¥°¤Ç¤â½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥ì¥Ý¡¼¥È¤¬½ÐÎϤµ¤ì¤ë¾ò·ï¤¬¤è¤¯¤ï¤«¤é¤º¡¢¥Ö¥é¥¦¥¶¤ä¥Ð¡¼¥¸¥ç¥ó¤Ë¤â°Í¸¤¹¤ë¤è¤¦¤Ç¡¢»ä¤â¥ì¥Ý¡¼¥ÈÀ¸À®¤¬¤¦¤Þ¤¯¤Ç¤­¤Æ¤¤¤Þ¤»¤ó¡£
¤Þ¤¿¡¢HTTP¥Ø¥Ã¥À¤Ë¤Ä¤¤¤Æ "Public-Key-Pins" ¤Ç¤Ï¤Ê¤¯¡¢"Public-Key-Pins-Report-Only" ¤ÈÀßÄꤹ¤ì¤Ð¡¢¥Ö¥é¥¦¥¶¤Ç¤Ï¥¨¥é¡¼¤òȯÀ¸¤µ¤»¤ë¤³¤È¤Ê¤¯¡¢¥¨¥é¡¼¥ì¥Ý¡¼¥È¤Î¼ý½¸¤Ï¤Ç¤­¤Þ¤¹¤Î¤Ç¡¢¥Æ¥¹¥È¤ÎºÝ¤Ë¤³¤ì¤ò»È¤¦¤ÈÎɤ¤¤Ç¤·¤ç¤¦¡£

4. ¥Ô¥ó¤ÎÀßÄê¤Î¹Í»¡

pin-sha256°À­¤ò»È¤Ã¤Æ¥Ô¥ó¤òÀßÄꤹ¤ë¤³¤È¤Ë¤è¤ê¡¢¥µ¡¼¥Ð¡¼¥ª¡¼¥Ê¡¼¤¬°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤ë¤³¤È¤òËɤ°¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¥Ô¥ó¤ÎÃͤϡ¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¾ÚÌÀ½ñ¤Î²¿¤ì¤«¤Î¾ÚÌÀ½ñ¤Ë°ìÃפ¹¤ë¤â¤Î¤òºÇÄã°ì¤Ä¡¢ ¤É¤ì¤Ë¤â°ìÃפ·¤Ê¤¤¤â¤Î¤òºÇÄã°ì¤Ä¤Î·×2¤Ä°Ê¾å¤Ë¤è¤ê¹½À®¤µ¤ì¤Þ¤¹¡£
hpkp-intersect

4.1. ¥Ô¥ó¤ÎÃͤμèÆÀÊýË¡

¤µ¤Æ¡¢°ìÈÖ´Êñ¤Ê¥Ï¥Ã¥·¥åÃͤμèÆÀÊýË¡¤Ç¤¹¤¬¡¢¤¹¤Ç¤Ë¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTPSÀßÄ꤬´°Î»¤·¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢Scott Helme»á¤ÎHPKP¥Ï¥Ã¥·¥å¤Î½êÆÀ¥Ú¡¼¥¸¤òÍøÍѤ¹¤ë¤Î¤¬Îɤ¤¤Ç¤¹¡£¼«Ê¬¤Î¤Ç¤â¾¿Í¤Î¤Ç¤âHTTPS¥µ¥¤¥È¤ÎURL¤òÆþÎϤ¹¤ì¤Ð¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î³Æ¾ÚÌÀ½ñ¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤Þ¤¹¡£
index
SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤«¤é½ç¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Þ¤Ç¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤ¬

pin-sha256="hUIG87ch71EZQYhZBEkq2VKBLjhussUw7nR8wyuY7rY="
¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¤Î¤Ç¡¢¤É¤Î¥Ô¥ó¤ò»È¤¦¤Î¤«¤ò·è¤á¤ÆHTTP¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¤À¤±¤Ç¤¹¡£

°ì¤Ä¤Î¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤη׻»¤Ç¤¹¤¬¡¢¾ÚÌÀ½ñ¤«¤é¤Ç¤â¡¢¾ÚÌÀ½ñȯ¹ÔÍ×µá(CSR/PKCS#10)¤Ç¤â¡¢ ÈëÌ©¸°¤È¸°¥¢¥ë¥´¥ê¥º¥à¤Ë¤è¤Ã¤Æ¤Ï¸°¥Ñ¥é¥á¡¼¥¿¡¼¤«¤éÃê½Ð¤µ¤ì¤¿PKCS#8¸ø³«¸°¤«¤é¤Ç¤â¥Ï¥Ã¥·¥åÃͤò·×»»¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤¿¤À¡¢¤¤¤í¤ó¤Ê¿Í¤Î¥Ö¥í¥°¤Ç¤Ï¡¢¤ï¤¶¤ï¤¶CSR¤òºî¤Ã¤Æ¤«¤é¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢Æä˾ÚÌÀ½ñ¤Î¤Þ¤À̵¤¤¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¾ì¹ç¤Ë¤Ï¡¢ ¤½¤ó¤Ê¤³¤È¤ò¤·¤Ê¤¯¤È¤â¡¢¸ø³«¸°¤«¤é¥Ï¥Ã¥·¥å·×»»¤¹¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ Àè¤Û¤É¤ÈƱÍͤˡ¢Scott Helme»á¤Î¥Ä¡¼¥ë¤ÇPEM·Á¼°¤ÎPKCS#8¸ø³«¸°¡¢CSR¡¢X.509¾ÚÌÀ½ñ¤òÆþÎϤ¹¤ì¤Ð¡¢¥Ô¥ó¤Î¥Ï¥Ã¥·¥åÃͤò·×»»¤·¤Æ¤¯¤ì¤ë¥Ú¡¼¥¸¤¬¤¢¤ë¤Î¤Ç¡¢¤³¤ì¤ò»È¤¦¤Î¤¬´Êñ¤Ç¤¹¡£

¼êºî¶È¤Ç¥Ô¥ó¤ò¼èÆÀ¤¹¤ë¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤ò¼Â»Ü¤¹¤ì¤Ð¸ø³«¸°¤ÎSHA256¥Ï¥Ã¥·¥å¤Ç¤¢¤ë¥Ô¥ó¤ÎÃͤ¬¼èÆÀ¤Ç¤­¤Þ¤¹¡£Â¾¤Î²òÀâµ­»ö¤Ç¤Ï¡¢base64¥³¥Þ¥ó¥É¤ò»È¤Ã¤¿¤ê¡¢CSR¤ò¤¤¤Á¤¤¤ÁÀ¸À®¤¹¤ë¤Î¤ò¶¯À©¤µ¤»¤¿¤ê¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¤³¤³¤Ç¾Ò²ð¤¹¤ëÊýË¡¤ÏOpenSSL¥³¥Þ¥ó¥É¤·¤«»È¤ï¤º¡¢¤¤¤í¤¤¤í¤Ê¥±¡¼¥¹¤ËÂбþ¤·¤Æ¡¢¥Ô¥ó¤Î¼èÆÀ¤¬¤Ç¤­¤ë¤è¤¦¤Ë¡¢Îã¤ò¼¨¤·¤Æ¤ª¤­¤Þ¤·¤¿¡£

X.509¾ÚÌÀ½ñ¤«¤ésubjectPublicKeyInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl x509 -in PEM¾ÚÌÀ½ñ -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= CSR¤«¤ésubjectPKInfo¥Õ¥£¡¼¥ë¥É¤Ë¤¢¤ëPKCS#8¸ø³«¸°¤Î¥Ô¥ó¤ÎÆþ¼ê % openssl req -in PEMCSR¥Õ¥¡¥¤¥ë -pubkey -noout | openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8ÈëÌ©¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -in PKCS#8ÈëÌ©¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= PKCS#8¸ø³«¸°¤«¤é¥Ô¥ó¤ÎÆþ¼ê % openssl rsa -pubin -in PKCS#8¸ø³«¸° -pubout -outform DER | \ openssl dgst -sha256 -binary | openssl enc -base64 te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU= ÆÀ¤é¤ì¤¿Ãͤò pin-sha256="te4kc4F/5BhtIosKLOS9sy049x7a/LQHNRRG1WHfvyU=" ¤Î¤è¤¦¤Ë¥Ø¥Ã¥À¤ËÀßÄꤹ¤ë¡£
Ãͤò¼èÆÀ¤·¤¿¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHTTP¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£Î㤨¤Ð¡¢Apache HTTP Server¤Î¾ì¹ç¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤ËÀßÄꤷ¤Þ¤¹¡£
<VirtualHost _default_:443> ... Header set Public-Key-Pins \ "pin-sha256=\"MRnxhYBVCMAxZHwalTJ7ZVl6P2005lll4ttWr+RN1Ro=\"; \ pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; \ max-age=2592000; \ report-uri=\"https://report.example.com\"" ... Æɤߤ䤹¤µ¤Î¤¿¤á¤Ë¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤È²þ¹Ô¤òÆþ¤ì¤Æ¤¤¤Þ¤¹¡£2592000ÉäÏ30Æü¤Ç¤¹¡£

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

HPKP¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ò1¤Ä°Ê¾åÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£ËÜÀá¤Ç¤Ï¡¢¼¡¤Î2¤Ä¤Ëʬ¤±¤Æ¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

  • 1) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¤É¤ì¤«°ì¤Ä¤Î¤ß¤òÁªÂò¤¹¤ë¾ì¹ç¤ÎÈæ³Ó¸¡Æ¤
  • 2) ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î2¤Ä°Ê¾å¡¢¤Þ¤¿¤ÏÁ´Éô¤òÁªÂò¤¹¤ë¾ì¹ç¤Î¹Í»¡

4.2. ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë°ìÃפ¹¤ë¥Ô¥ó¤ÎÁªÂò

¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ç¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¤è¤¦¤Ê3ÃʤξÚÌÀ½ñ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢ ÉÔÀµ¤Ê°Õ¿Þ¤·¤Ê¤¤¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¤«¤É¤¦¤«¸¡¾Ú¤¹¤ë¤¿¤á¤Ë¡¢ ¤É¤ì¤«°ì¤Ä¤Î¥Ô¥ó¤òÁª¤Ö¤È¤¹¤ì¤Ð¡¢¤É¤ì¤òÁª¤Ù¤ÐÎɤ¤¤Ç¤·¤ç¤¦¤«¡£ ¤³¤ì¤é3¤Ä¤Î¥±¡¼¥¹¤Ç¡¢¤½¤ì¤¾¤ìĹ½ê¡¢Ã»½ê¤¬¤¢¤ë¤Î¤Ç¡¢¹Í»¡¤·¤Æ¤ß¤¿¤¤¤È»×¤¤¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ¤Ï¡¢¿ôǯ¸å¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¢¤é¤«¤¸¤á·è¤Þ¤Ã¤Æ¤¤¤ë¾ì¹ç(=¸°»öÁ°À¸À®)¡¢·è¤Þ¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç(=¸°»öÁ°À¸À®¤Ê¤·)¤Î¥±¡¼¥¹¤Ëʬ¤±¤Æ¹Í»¡¤·¤Þ¤¹¡£

¾ÚÌÀ½ñĹ½êû½ê°ÂÁ´À­±¿ÍÑÉéô
­¡¥ë¡¼¥ÈCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬Ä¹¤¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯10ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • ¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥É¥Ô¥ó¤Ç¤Ï¥ë¡¼¥È¾ÚÌÀ½ñ¤ò»ÈÍÑ
  • ¸°¹¹¿·¸å¤Î¸ø³«¸°¤Ï»öÁ°¤Ë¤Ï¤ï¤«¤é¤º¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Ï»È¤¨¤Ê¤¤
  • ¿·¤·¤¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò¹ØÆþ¤·¤¿¾ì¹ç¤Ë¡¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¤È¤Ï¸Â¤é¤º¡¢¤½¤ÎºÝ¤Ï¥Ô¥ó¤Î°Ü¹Ô¤¬É¬Í×
  • ¥ë¡¼¥È¾ÚÌÀ½ñÇÛ²¼¤Î¾ÚÌÀ½ñ¤Î¿ô¤ÏÈó¾ï¤Ë¿¤¯¡¢¤½¤Îǧ¾Ú¶É¤¬ÉÔÀµ¤Ê¾ÚÌÀ½ñ¤òȯ¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¡¢¹¶·â¤òËɤ²¤Ê¤¤¥ê¥¹¥¯¤Ï¹â¤¤¡£Î㤨¤Ð¡¢¥·¥Þ¥ó¥Æ¥Ã¥¯¼Ò¤¬Google¤Ëµö²Ä¤Ê¤¯Google¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ö·ï¤¬¤¢¤Ã¤¿¡£
  • ¾ÚÌÀ½ñ¹¹¿·¤Ç¥ë¡¼¥ÈCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤ÏÄ㤤¤¬¡¢Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
Äã¹â
­¢Ãæ´ÖCA¾ÚÌÀ½ñ
  • Í­¸ú´ü´Ö¤¬¤ä¤äŤ¤¤¿¤á¥Ô¥óÊѹ¹¤ÎÉÑÅÙ¤¬¼ã´³¾¯¤Ê¤¯¤ÆºÑ¤à¡£¤ª¤½¤é¤¯5ǯÄøÅÙ¤ÏÊѹ¹ÉÔÍ×
  • °ÂÁ´À­¤È±¿ÍÑÉéô¤ÎÌ̤ǥХé¥ó¥¹¤¬¼è¤ì¤Æ¤¤¤ë¤«¡©
  • ¥Ô¥ó¤¹¤ëÃæ´ÖCA¤Î¸ø³«¸°¤ËÊѹ¹¤¬¤Ê¤«¤Ã¤¿¾ì¹ç¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÏÈæ³ÓŪ³Ú
  • ¥Ô¥ó¤·¤Æ¤¤¤ëÃæ´ÖCA¤Î¸ø³«¸°¤¬¡¢¼¡²ó¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¹¹¿·»þ¤ËƱ¤¸¤Ç¤¢¤ë¤È¤¤¤¦ÊݾڤϤʤ¤¡£
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ë¤¬¡¢¤½¤ì¤¬»öÁ° ¼þÃΤµ¤ì¤Ê¤¤¤¿¤á¤Ë¡¢SSLÀܳÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤¬¹â¤¤
  • Ãæ´ÖCA¾ÚÌÀ½ñ¤¬Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Î°Ü¹Ô¤Ë·¸¤ë±¿ÍÑÉéô¤Ï¡¢²ó¿ô¤â¡¢ºî¶ÈÉé²Ù¤â Èó¾ï¤Ë¹â¤¤
  • Ʊ¤¸Ãæ´ÖCA¤«¤é¡¢ÉÔÀµ¤ËƱ¤¸¥É¥á¥¤¥ó¤ËÂФ¹¤ë¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿¾ì¹ç¤Ë¤â¸¡¾ÚÍ­¸ú¤È¤Ê¤Ã¤Æ¤·¤Þ¤¦¥ê¥¹¥¯¤¬¤¢¤ë¡£­¡¤è¤ê¤Ï¥ê¥¹¥¯¤ÏÄ㤤¤¬¡¢­£­¤¤è¤ê¤Ï¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÇÃæ´ÖCA¤¬Êѹ¹¤Ë¤Ê¤ë²ÄǽÀ­¤Ï¤¢¤ëÄøÅÙ¤¢¤ê¡¢­¡¤è¤ê¤Ï³ÎΨ¤¬¹â¤¤¡£Êѹ¹¤Ë¤Ê¤Ã¤¿¾ì¹ç¤Ë¤Ï¡¢max-age¤ËÇÛθ¤·¤¿ÌÌÅݤʰܹԤ¬É¬ÍפDZ¿ÍÑÉé²Ù¤¬¹â¤¤
̾̾
­£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®)
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¥Ô¥ó¤·¤¿¸ø³«¸°¤Î¥Þ¥Ã¥Á¥ó¥°ÀßÄê¤Ë¼ºÇÔ¤¹¤ë²ÄǽÀ­¤¬Ä㤯¡¢HPKPÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤ÏºÇ¤âÄ㤤
  • HPKP¤ÎRFC¤Ç¤Ï¡¢(¤µ¤é¤Ã¤È´Êñ¤Ë¤Ç¤­¤ë¤È¼è¤ì¤ë¤è¤¦¤Êµ­½Ò¤¬¤µ¤ì¤Æ¤ª¤ê)¿ä¾©¤µ¤ì¤Æ¤¤¤ë¤è¤¦¤Ë¼è¤ì¤ëÊýË¡
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¡¢Êѹ¹¤µ¤ì¤ë¥Ô¥ó¤¬¤¢¤é¤«¤¸¤á¤ï¤«¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢(max-ageÆâ¤ËºÆÅÙ¾ÚÌÀ½ñ¹¹¿·¤ò¤¹¤ë¤³¤È¤ò¤·¤Ê¤±¤ì¤Ð)max-age¤ò¤¢¤Þ¤êµ¤¤Ë¤»¤º¤Ë¾ÚÌÀ½ñ¤Î¹¹¿·¤¬¤Ç¤­¤ë
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¡¢¸°¥Ú¥¢¤Î»öÁ°À¸À®¤¬²Äǽ¤Ê¤Î¤Ï¡¢OpenSSLÅù¤Ë¤è¤ê¼êºî¶È¤Ç¸°¥Ú¥¢À¸À®¤·¤¿¾ì¹ç¤Î¤ß¤Ç¤¢¤ê¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô»þ¤Ë¡¢CSR¤ò¼«Á°¤ÇÀ¸À®¤¹¤ëɬÍפ¬¤Ê¤¯¡¢¥Ö¥é¥¦¥¶¤Î¥³¥ó¥Ý¡¼¥Í¥ó¥È¤Ç¼«Æ°Åª¤Ë¸°¥Ú¥¢À¸À®¤¹¤ë¤è¤¦¤Ê¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Î¾ì¹ç¤Ë¤Ï¡¢ËÜÊý¼°¤Ï»È¤¨¤Ê¤¤
  • Let's Encrypt¤Ï»È¤¨¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¼«Æ°¹¹¿·¤Ë·¸¤ë±¿ÍÑÉéô¤Î·Ú¸º¤Ï¸«¹þ¤á¤Ê¤¤
  • ¸°¥Ú¥¢¤Ï°ìÈ̤ˡ¢¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¹Ô¤ï¤ì¤ë¤â¤Î¤À¤¬¡¢¤½¤ì¤ò2ǯÄøÅÙÁ°¤Ë¼Â»Ü¤¹¤ë¤³¤È¤Ë¤Ê¤ë¡£»öÁ°À¸À®¤·¤Æ¤ª¤¯¤È¡¢¤½¤Îʬ¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤Ï¹â¤¯¡¢µ¡Ì©Êݴɤα¿ÍÑÉéô¤ÏÂ礭¤¤
  • ¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¡¢¤½¤ì¤Ê¤ê¤ËÀßÄêÊѹ¹¤Ëµ¤¤ò»È¤¦É¬Íפ¬¤¢¤ë¡£¤Þ¤¿¡¢¤½¤Î²ó¿ô¤â2ǯ¼åÄøÅÙ¤ª¤­¤Ç¤¢¤ê¡¢±¿ÍÑÉéô¤ÏÈæ³ÓŪ¹â¤¤
̾̾
­¤SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¸°»öÁ°À¸À®¤Ê¤·)
  • Á´¤Æ¤ò¼«¸ÊÀ©¸æ¤Ç¤­¡¢ÀßÄêÉÔÈ÷¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¥ê¥¹¥¯¤Ï­£¤ÈƱÄøÅ٤˹⤤
  • ­£¤ËÈæ¤Ù¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤¬Ï³±Ì¤¹¤ë¥ê¥¹¥¯¤âÄ㤤
  • ÉÔÀµ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬»È¤ï¤ì¤ë¥ê¥¹¥¯¤Ï¡¢(ÈëÌ©¸°Ï³±Ì¤Î¥ê¥¹¥¯¤ò½ü¤±¤Ð)­¤¤ÈƱÄøÅ٤ˡ¢­¡­¢¤è¤ê¹â¤¤
  • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ò»È¤¨¤ë´ü´Ö¤¬¡¢É¬¤º (max-age + ¦Á)¡ß2 ʬ¤À¤±¸º¤ë¡£2ǯʪ¾ÚÌÀ½ñ¤Î¾ì¹ç¡¢max-age¤ò2¥ö·î¤È¤·¤¿¾ì¹ç¡¢¥Æ¥¹¥È¤ä;͵¤â´Þ¤á4¡Á5¥ö·îÄøÅÙ¤Ïû¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¡¢¾ÚÌÀ½ñ¤ÎÈñÍÑÉéô¤¬Áý¤¨¤ë
  • ¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age+¦Á¤Ç¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤µ¤»¤ì¤Ð¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤Ê¤¬¤é¥Ô¥ó¤ÎÊѹ¹¤ò¹Ô¤¦¤³¤È¤Ë¤Ê¤ë¡£±¿ÍѤÎÉéô¤Ï¤¢¤ë¤¬¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤«Ç§¾Ú¶É¼¡Âè¤Ç¤É¤¦¤Ê¤ë¤«¤ï¤«¤é¤Ê¤¤­¡­¢¤ËÈæ¤Ù¤Æ¡¢É¬¤ºmax-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKPÀßÄêÊѹ¹¤Î¥¹¥±¥¸¥å¡¼¥ë¤¬ÁȤá¤ë¤Î¤Ç¡¢Äê·¿±¿ÍѤˤǤ­¤ë¤¿¤á±¿ÍѤο´ÍýŪÉéô¤Ï­¡­¢¤è¤ê¤Ï¼ã´³¾¯¤Ê¤¤
  • ¹âÃæ
    ¤Ç¤Ï¡¢­¡¡Á­¤¤Ç¤Ï¡¢²¿¤òÁªÂò¤¹¤ë¤«¤Ç¤¹¤¬¡¢¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥Ô¥ó¤¬»È¤¨¤Ê¤¤°ìÈÌ¥µ¥¤¥È¤Î¾ì¹ç¤Ï¡¢ ­¢¡Á­£¤Î¤¤¤º¤ì¤«¤¬ÂÅÅö¤À¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤ì¤â±¿ÍѤÎÉéô¤ä¡¢¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ë¥ê¥¹¥¯¤¬¤¢¤ê¡¢ ¸Ä¿Í¤¬¥Æ¥¹¥ÈÌÜŪ¤ÇÀßÄꤹ¤ë¾ì¹ç¤Ï²¿¤Ç¤âÎɤ¤¤È¤·¤Æ¡¢ ¼«Ê¬¤¬¾¦ÍÑ¥µ¥¤¥È¤Î±¿ÍѤòǤ¤µ¤ì¤Æ¤¤¤ë¤Ê¤é¤Ð¡¢¤â¤Ã¤È¤â·üÇ°¤¹¤Ù¤­¤Ï Ĺ´ü´Ö¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤Ë¤Ê¤ê¥¯¥ì¡¼¥à¤¬µ¯¤­¤ë¤³¤È¤Ê¤Î¤Ç¡¢ HPKP¤Ï»È¤ï¤Ê¤¤¤È¤¤¤¦È½ÃǤò¤¹¤ë¤È»×¤¤¤Þ¤¹¡£

    4.3. ¾ÚÌÀ½ñ¹¹¿·¤ÈHPKP¥Ø¥Ã¥À¤ÎÀßÄêÊѹ¹¤Î±¿ÍÑÊýË¡

    4.2Àá¤Ç¤Ï¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¤Ç¡¢ ¤É¤Î¤è¤¦¤Ê°ã¤¤¤¬¤¢¤ë¤Î¤«¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤Þ¤·¤¿¡£

    ËÜÀá¤Ç¤Ï¡¢4.2Àá¤Î¹Í»¡¤ò¼õ¤±¤Æ¡¢ÀßÄêÉÔ¶ñ¹ç¤Ë¤è¤ë¥µ¡¼¥Ó¥¹ÍøÍÑÉÔǽ¤ò Ëɤ®¤Ê¤¬¤é¡¢HPKP¤ò»È¤Ã¤¿¥µ¥¤¥È¤Î¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥À¤ÎÊѹ¹¤ò¡¢¤É¤Î¤è¤¦¤Ë±¿ÍѤ¹¤ì¤Ð¤è¤¤¤Î¤«¤Ë¤Ä¤¤¤Æ ¹Í»¡¤·¤Þ¤¹¡£

    HPKP¤ò»È¤Ã¤¿¾ì¹ç¤Î¾ÚÌÀ½ñ¹¹¿·¤Î±¿ÍѤλÅÊý¤Ï4¤Ä¤Î¥±¡¼¥¹¤Ë¤ï¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

    • a)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë³Îǧ¤·¡¢¥Ô¥ó¤ò¹Ô¤Ã¤Æ¤¤¤ë¸°¤ËÊѹ¹¤¬¤Ê¤¤¾ì¹ç
    • b)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤Ã¤Æ¤¤¤ë¾ì¹ç
    • c)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤ë¾ì¹ç
    • d)¾ÚÌÀ½ñ¹¹¿·¤Îmax-age¤è¤êÁ°¤Ë¾ÚÌÀ½ñ¹¹¿·¤ÎÁ°¸å¤Ç¥Ô¥ó¤ò¹Ô¤¦¸ø³«¸°¤¬²¿¤ËÊѹ¹¤µ¤ì¤ë¤«¤ï¤«¤é¤Ê¤¤¡¢¤â¤·¤¯¤ÏÊѹ¹¤¬ÌÀ¤é¤«¤À¤¬¡¢¹¹¿·¤ÎÁ°¸å¤Î¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü´Ö¤òmax-age + ¦Á¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤Ç¤­¤Ê¤¤¾ì¹ç
    ¤³¤Î¤è¤¦¤ÊÀâÌÀ¤Ç¤Ï¡¢¶ñÂÎŪ¤Ê¥¤¥á¡¼¥¸¤¬¤ï¤«¤Ê¤¤¤È»×¤¤¤Þ¤¹¤Î¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤Î¾ÚÌÀ½ñ¤Ëʬ¤±¤Æ¶ñÂÎÎã¤ò¼¨¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    • a-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Ë¤ÏÊѹ¹¤¬¤Ê¤¤¤³¤È¤¬¤ï¤«¤Ã¤¿¾ì¹ç¡£(¸ÜµÒ¥µ¥Ý¡¼¥È¤Ë±³¤ò¤Ä¤«¤ì¤¿¤é¡¢°ìÉô¥æ¡¼¥¶¤Ë2¥ö·î(=max-age)¥µ¡¼¥Ó¥¹¾ã³²¤Ë¤Ê¤ë¥ê¥¹¥¯¤¢¤ê¡£)
      hpkp-move1
    • b-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤ËÌä¹ç¤»¤¿¤é¡¢¼¡²ó¡¢max-age¸å¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»ÈÍѤ¹¤ë¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤¬¤É¤ì¤ËÊѹ¹¤µ¤ì¤ë¤«¶µ¤¨¤Æ¤â¤é¤¨¤¿¾ì¹ç¡£¤â¤·¤¯¤Ï¥µ¥Ý¡¼¥È¥Ú¡¼¥¸¤Ê¤É¤Ç¹ðÃΤµ¤ì¤Æ¤¤¤ë¾ì¹ç¡£¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤ÎÊѹ¹¡¢EV¤Ø¤ÎÊѹ¹¤Ê¤É¤âƱÍÍ¡£
      hpkp-move-b1
    • b-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤ª¤ê¡¢OpenSSLÅù¤Ç¼¡²ó¤Î¾ÚÌÀ½ñ¹¹¿·¤Ç»ÈÍѤ¹¤ë¸°¥Ú¥¢¤¬¤¹¤Ç¤Ë»öÁ°À¸À®¤µ¤ì¡¢Êݴɤµ¤ì¤Æ¤¤¤ë¾ì¹ç
      hpkp-move-b2
    • c-1) ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢¼¡²ó¾ÚÌÀ½ñ¹¹¿·¸å¤Î¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÊѹ¹¤Ë¤Ä¤¤¤Æ¡¢¸ÜµÒ¥µ¥Ý¡¼¥È¤«¤é¤Î²óÅú¤¬ÆÀ¤é¤ì¤º¡¢Êѹ¹¤µ¤ì¤ë¤«¤É¤¦¤«È½ÃǤ¬¤Ä¤«¤Ê¤¤¤¿¤á¡¢»ÅÊý¤Ê¤¯¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤·¤¿¤é¡¢¤ä¤Ï¤ê¥ë¡¼¥È¾ÚÌÀ½ñ¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤ÏÊѹ¹¤Ë¤Ê¤Ã¤Æ¤¤¤¿¾ì¹ç(Êѹ¹¤¬¤Ê¤±¤ì¤Ða-1¤Î¥±¡¼¥¹¤È¤Ê¤ë¡£)
      hpkp-move-c1
    • c-2) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢OpenSSL¤ò»È¤ï¤º¡¢¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Ç¸°¥Ú¥¢À¸À®¤¹¤ë¥¿¥¤¥×¤Îǧ¾Ú¶É¤Ç¤¢¤ë¤¿¤á¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç
      hpkp-move-c2
    • c-3) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢HSMµ¡Ç½¤ò»È¤¦SSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤ª¤ê¡¢»öÁ°¤Ë¹¹¿·¸å¤Î¸ø³«¸°¤Ï¤ï¤«¤é¤º¡¢¾ÚÌÀ½ñ¹¹¿·¤òmax-age + ¦ÁÁ°¤Ë¼Â»Ü¤·¤ÆÍ­¸ú´ü´Ö¤ò½Å¤Í¤ë¤è¤¦»öÁ°¾ÚÌÀ½ñȯ¹Ô¤Ç¤­¤ë¾ì¹ç¡£°Ü¹Ô¤Î¿Þ¤Ïc-2¤ÈƱ¤¸¤Ë¤Ê¤ê¤Þ¤¹
    • d-1) SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤷ¤Æ¤¤¤ë¤¬¡¢Let's Encrypt¤ä°ìÉô¤Îǧ¾Ú¶É¤Î¤è¤¦¤Ë¡¢¾ÚÌÀ½ñ¹¹¿·¸å¡¢Á°¤Î¾ÚÌÀ½ñ¤Ï¨»þ¤Ë¼º¸ú½èÍý¤¬¤µ¤ì¡¢max-age + ¦Á¤Î´ü´Ö¤ÎÍ­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬¤Ç¤­¤Ê¤¤¾ì¹ç
      hpkp-move-d1
    ¼«Ê¬¤Î±¿ÍѤ¬¤É¤Î¥±¡¼¥¹¤Ë¤¢¤Æ¤Ï¤Þ¤ë¤«¡¢¾åµ­¤ÎÀâÌÀ¤Ç¤ï¤«¤Ã¤¿¤Ç¤·¤ç¤¦¤«¡£¤µ¤Æ¡¢a¡Ád¤Î¥±¡¼¥¹¤Ç¡¢¤É¤Î¤è¤¦¤ËÂбþ¤¹¤ë¤«¤ò°Ê²¼¤Ë¼¨¤·¤Þ¤¹¡£
    • a¤ÎÂбþ) ¾ÚÌÀ½ñ¹¹¿·¤ËºÝ¤·¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄê¤ÏÊѹ¹¤·¤Ê¤¯¤Æ¤è¤¤
    • b¤ÎÂбþ) max-age¤ò¤Ï¤¢¤Þ¤êµ¤¤Ë¤»¤º¡¢¾ÚÌÀ½ñ¹¹¿·¸å¤Î¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¾ÚÌÀ½ñÀßÄê¡¢HPKP¥Ø¥Ã¥À¤òÀßÄêÊѹ¹¤·¤Æ¤è¤¤
    • c¤ÎÂбþ) ¤â¤Ã¤È¤â¿À·Ð¤ò¸¯¤¦¡¢max-age¤ËÇÛθ¤·¤¿¡¢¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄ꤬ɬÍס£¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎÁ°¸å¤Ç¡¢Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Í×
    • d¤ÎÂбþ) ¤³¤Î¥±¡¼¥¹¤Ç¤ÏHPKP¤Ï»È¤¨¤Ê¤¤¡£Â¾¤Î¾ÚÌÀ½ñ¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ø¤Î¥Ô¥óÀßÄê¤ÎÊѹ¹¤ò¸¡Æ¤¤¹¤ëɬÍפ¬¤¢¤ë¡£»È¤Ã¤Æ¤â¡¢°ìÉô¥æ¡¼¥¶¤Ë¥µ¡¼¥Ó¥¹ÀܳÉÔǽ¾ã³²¤¬max-ageÄøÅÙȯÀ¸¤¹¤ë¡£
    ¤É¤ó¤Ê¾ÚÌÀ½ñ¹¹¿·¡¢HPKP¥Ø¥Ã¥ÀÀßÄê¤Î°Ü¹Ô¤ò¹Ô¤¦¤Ë¤·¤Æ¤â¡¢¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¡¢max-age¡¢ÈëÌ©¸°¤ÎÊݴɤʤɡ¢ÍÍ¡¹¤Ê¤³¤È¤Ëµ¤¤ò¸¯¤¤¤Ê¤¬¤é¡¢°Ü¹Ô·×²è¤òΩ¤Æ¡¢°Ü¹Ô¤·¤Ê¤¤¤È¤Ê¤é¤º¡¢¤­¤Á¤ó¤È¹Í¤¨¤Ê¤¤¤ÈĹ´ü¤Î¥µ¡¼¥Ó¥¹¾ã³²È¯À¸¤¹¤ë¤È¤¤¤¦±¿ÍѾå¤ÎÉéô¤ä¥ê¥¹¥¯¤ÏÂ礭¤¤¤È»×¤¤¤Þ¤¹¡£

    4.4. ¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤¤¤¦Ì¿Ì¾¤Î¤¤¤±¤Æ¤Ê¤µ

    Àè¤Ë½Ò¤Ù¤¿¤è¤¦¤Ë¡¢²¿¤«°ì¤Ä¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È¤Ï¥Þ¥Ã¥Á¤·¤Ê¤¤¥Ô¥ó¤òɬ¤º´Þ¤á¤Ê¤±¤ì¤Ð¤¤¤±¤Þ¤»¤ó¡£SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤ò¤¹¤ë¾ì¹ç¤Ï¡¢¸½ºß»È¤Ã¤Æ¤¤¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ÎÈëÌ©¸°¤ËÂФ·¤Æ¡¢¾­Íè¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç»È¤¦Í½Äê¤ÎÈëÌ©¸°¤â»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤±¤ë¤Ê¤é¡¢¤½¤Î¸ø³«¸°¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤È¤·¤ÆÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢¤Þ¤µ¤·¤¯¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»ÈÍѤǤ­¡¢(¸å½Ò¤ÎÌäÂꤢ¤ê¤¢¤ê¤Ç¤¹¤¬)¥¹¥à¡¼¥¹¤Ê¾ÚÌÀ½ñ¤È¥Ô¥ó¤Î°Ü¹Ô¤¬²Äǽ¤Ç¤¹¡£

    ¤·¤«¤·¤Ê¤¬¤é¡¢ÈëÌ©¸°¤ò°Ü¹ÔÀè¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¤È¤·¤Æ»öÁ°À¸À®¤·¤Æ¤ª¤­¡¢¤³¤ì¤¬ÍøÍѤǤ­¤ë¤È¤¤¤¦¥±¡¼¥¹¤Ï¥ì¥¢¥±¡¼¥¹¤Ç¤¹¡£Î㤨¤Ð°Ê²¼¤Î°ìÈ̤˵¯¤³¤ê¤¦¤ë¥±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤ÎºÝ¤Ë¡¢¤½¤Î»öÁ°À¸À®¤·¤¿ÈëÌ©¸°¤ò»ÈÍѤ¹¤ë¤³¤È¤Ï¤Ç¤­¤Þ¤»¤ó¡£

    CA¾ÚÌÀ½ñ¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×Pin
    ǧ¾Ú¶É¤¬¹Ô¤¦¾ÚÌÀ½ñ¹¹¿·¤â¤·¤¯¤Ï¸°¹¹¿·¤Ë¤ª¤¤¤Æ¡¢»öÁ°¤Ë°Ü¹ÔÀè¤ÎÈëÌ©¸°¤¬Â¸ºß¤¹¤ë¤È¤¤¤¦¤³¤È¤â¤¢¤ê¤Þ¤»¤ó¤·¡¢°Ü¹ÔÀè¤Î¸ø³«¸°¤ÎPin¤ò¥æ¡¼¥¶¤Ë¸ø³«¤·¤Æ¤¯¤ì¤ëǧ¾Ú¶É¤â¤¢¤ê¤Þ¤»¤ó¡£
    HSM¤ò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×
    ǧ¾Ú¶É¤äSSL¥¢¥¯¥»¥é¥ì¡¼¥¿¡¼¤ò»È¤Ã¤Æ¤¤¤ë¥±¡¼¥¹¤Ç¤Ï¡¢ÈëÌ©¸°¤ò¼è¤ê½Ð¤·ÉÔ²Äǽ¤Ê¥Ï¡¼¥É¥¦¥§¥¢¥»¥­¥å¥ê¥Æ¥£¥â¥¸¥å¡¼¥ë(HSM)¤Ç´ÉÍý¤¹¤ë¤Î¤¬°ìÈÌŪ¤Ç¤¹¡£HSM¤ò»ÈÍѤ·¤¿¸°¹¹¿·¡¢¾ÚÌÀ½ñ¹¹¿·¤Ç¤Ï¡¢»öÁ°¤ËÈëÌ©¸°¤ò´ö¤Ä¤«À¸À®¤·¤Æ¤ª¤­¡¢¹¹¿·»þ¤Ë¤½¤ì¤ò»ØÄꤷ¤Æ¹¹¿·¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£¹¹¿·»þ¤Ë¤Ï¡¢¿·¤¿¤Ë¸°¥Ú¥¢¤òÀ¸À®¤·¤Æ¡¢¤³¤ì¤ò»ÈÍѤ·¤Þ¤¹¡£¤³¤Î¤¿¤á¤Ë¡¢Ç§¾Ú¶É¤Ç¤Ï¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤ò¸ø³«¤¹¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¤Î¤Ç¤¹¡£
    ¥¦¥§¥Ö²èÌ̤Ǹ°¥Ú¥¢À¸À®¤·¤ÆSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î¾ì¹ç
    ǧ¾Ú¶É¤Ë¤è¤Ã¤Æ¤Ï¡¢¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤ò»ÈÍѤ·¤Æ¡¢¥Ü¥¿¥ó¤ò²¡¤»¤Ð¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤ò¹Ô¤¤¡¢¤³¤ì¤òÍѤ¤¤Æ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò³ÊǼ¤¹¤ë¤â¤Î¤¬¤¢¤ê¤Þ¤¹¡£¤½¤Î¤è¤¦¤Êǧ¾Ú¶É¤Ç¤Ï¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤ª¤¤¤¿¸°¤òȯ¹Ô»þ¤Ë»ÈÍѤ¹¤ë¤È¤¤¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    Let's Encrypt¤ò»È¤¦¾ì¹ç
    ̵ÎÁ¤ÇÀ¤³¦°ì¤Îȯ¹Ô¿ô¤ò¸Ø¤ë¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ç¤¢¤ëLet's Encrypt¤Ç¤Ï¡¢¾ÚÌÀ½ñ¤Îȯ¹Ô¥×¥í¥»¥¹¤¬¥¹¥¯¥ê¥×¥È¤Ë¤è¤ê¼«Æ°²½¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤³¤ì¤â¾ÚÌÀ½ñ¤Î¹¹¿·»þ¤Ë¤Ï¼«Æ°¤Ç¸°¥Ú¥¢À¸À®¤µ¤ì¤ë¤Î¤Ç¡¢»öÁ°¤ËÀ¸À®¤·¤Æ¤¤¤¿¸°¥Ú¥¢¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£
    ËÜÅö¤Î°ÕÌ£¤Ç¤Î¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤¬»È¤¨¤ë¤Î¤Ï¡¢°Ê²¼¤Î¾ì¹ç¤Ë¤Î¤ß²Äǽ¤Ç¤¢¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£
    • SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËÂФ·¤ÆPin¤ò¤¹¤ë¾ì¹ç¤Ç¡¢¤«¤Ä¡¢
    • OpenSSL¤Ê¤É¤Î¥³¥Þ¥ó¥É¤Ç¸°¥Ú¥¢À¸À®¤·¡¢¥Þ¥Ë¥å¥¢¥ë¤Ç¾ÚÌÀ½ñȯ¹ÔÍ×µá¤òÀ¸À®¤·¤Æ¡¢¾ÚÌÀ½ñȯ¹Ô¤·¤Æ¤â¤é¤¨¤ëǧ¾Ú¶É¤ò»ÈÍѤ¹¤ë¾ì¹ç
    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Ë¥Þ¥Ã¥Á¤·¤Ê¤¤¤â¤Î¤ò¡¢¡Ö¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¡×¤È¸Æ¤Ö¤Î¤Ï¡¢¾å½Ò¤Î¤Û¤È¤ó¤É¤Î¥±¡¼¥¹¤ÇŬÀڤǤʤ¤¤Î¤Ç¡¢Ì¾¾Î¤Ë¤ÏÌäÂ꤬¤¢¤ë¤È¹Í¤¨¤Æ¤¤¤Þ¤¹¡£

    4.5. CA¸°¤Î¥Ð¥Ã¥¯¥¢¥Ã¥×¥Ô¥ó¤Î¥ª¥¹¥¹¥á¤ÎÃÍ

    ¥ë¡¼¥È¾ÚÌÀ½ñ¤äÃæ´ÖCA¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¾ì¹ç¡¢ °ìÃפ·¤Ê¤¤¥Ô¥ó¤Ï¡¢¾­Íè¤Î¹¹¿·À褬¤ï¤«¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï²¿¤Ç¤â¤è¤¯¡¢ ¤µ¤é¤Ë¤Ï¡¢ËÜʪ¤Î¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפ⤢¤ê¤Þ¤»¤ó¡£ SHA256¤Ê¤Î¤Ç¡¢Ã±¤Ë32¥Ð¥¤¥È¤ÎÃͤǤ¢¤ì¤Ð²¿¤Ç¤âÎɤ¤¤ï¤±¤Ç¤¹¡£

    ¤¿¤À¡¢HPKP¥Ø¥Ã¥À¤Ç°ì¸«¤·¤Æ°ìÃפ·¤Ê¤¤¥Ô¥ó¤À¤È¤ï¤«¤Ã¤¿¤Û¤¦¤¬¡¢ ¸í¤Ã¤Æºï½ü¤¹¤ë¤Ê¤É¤Î±¿Íѥߥ¹¤òËɤ°°ÕÌ£¤Ç¤âÎɤ¤¤È¹Í¤¨¤Æ¤ª¤ê¡¢ ¤½¤³¤Ç¡¢¥ª¥¹¥¹¥á¤·¤¿¤¤¤Î¤¬¡¢°Ê²¼¤ÎÃͤǤ¹¡£

    pin-sha256="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; ¤³¤ì¤Ï¡¢16¿Ê¿ô¤Ç 0000000000000000000000000000000000000000000000000000000000000000 (32¥Ð¥¤¥È)
    ¤È¤Ê¤ê¤Þ¤¹¡£Î®¹Ô¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤¤¤Þ¤¹w

    4.6. ¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤Ï¤Ê¤¤

    ¤³¤ì¤Þ¤Ç¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤È°ìÃפ¹¤ë¥Ô¥ó¤Î¿ô¤Ï1¤Ä¤òÁ°Äó¤ËµÄÏÀ¤·¤Æ¤­¤Þ¤·¤¿¤¬¡¢ ¤³¤ì¤òÊ£¿ô¡¢Î㤨¤Ð¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤È¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤È¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò°ìÃפµ¤»¤¿¾ì¹ç¤Ë¤Ï¡¢ ¤É¤¦¤Ê¤ë¤Î¤«¤ò¹Í»¡¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£

    ¤Þ¤º¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤäơ¢¼¡¤ËÃæ´ÖCA¾ÚÌÀ½ñ¡¢¼¡¤Ë¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤òÄɲ䷤Ƥ¤¤¯ ¤³¤È¤ò¹Í¤¨¤Æ¤Þ¤·¤ç¤¦¡£ Ʊ¤¸¸°¥Ú¥¢¤òÊ£¿ô¤Îǧ¾Ú¶É¤«¤é¤Î¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñȯ¹Ô¤Ç»ÈÍѤ·¤Ê¤¤¤È¤¤¤¦¡¢Åö¤¿¤êÁ°¤Î»ö¤òÁ°Äó¤È¤·¤Þ¤¹¡£ SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Ë¥Ô¥ó¤òÂǤĻö¤¬ºÇ¤â¡¢ÈϰϤ¬¸ÂÄêŪ¤Ç¥Ë¥»HTTPS¤ËÂФ¹¤ë ºÇ¤â¶¯¤¤Âкö¤Ç¤¢¤ë¤È¡¢4.2Àá­£­¤¤Ç½Ò¤Ù¤Þ¤·¤¿¡£

    ¤½¤³¤ËÃæ´ÖCA¾ÚÌÀ½ñ¤Î°ìÃפ¹¤ë¥Ô¥ó¤ò­¤·¤Æ¤ß¤¿¤é¤É¤¦¤Ç¤·¤ç¤¦¤«¡£¥Ô¥ó¤ÇÆÃÄꤹ¤ë¾ÚÌÀ½ñ¤ÎÈϰϤÏÁ´¤¯ÊѤï¤ê¤Þ¤»¤Î¤Ç¡¢Ãæ´ÖCA¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò­¤¹¤³¤È¤Ç¡¢¥Ë¥»HTTPS¥µ¥¤¥Èºî¤ê¤¬Æñ¤·¤¯¤Ê¤Ã¤¿¤ê¤Ï¤»¤º¡¢¥»¥­¥å¥ê¥Æ¥£¤Î¶¯ÅÙ¤â¾å¤¬¤ê¤Þ¤»¤ó¡£¤Þ¤¿¡¢±¿ÍÑÌ̤Ǥϡ¢¥Ô¥ó¤Î°ìÃפÎÇÛ褬¥Ô¥ó°ì¤Ä¤ÈÈæ¤Ù¤ÆÆñ¤·¤¯¡¢¤Þ¤¿¡¢¥¦¥§¥Ö¥µ¥¤¥È¥ª¡¼¥Ê¡¼¤À¤±¤Ç´ÉÍý¤Ç¤­¤Ê¤¤ÈϰϤȤʤë¤Î¤Ç¾ÚÌÀ½ñ¤ä¥Ô¥ó¥Ø¥Ã¥ÀÊѹ¹¤Î±¿ÍѤϳÊÃʤËÊ£»¨¤ÇÌÌÅݤˤʤê¤Þ¤¹¡£¤³¤ì¤ËÂФ·¡¢¥ë¡¼¥È¾ÚÌÀ½ñ¤Î¥Ô¥ó¤ò²Ã¤¨¤¿¾ì¹ç¤Ç¤âÁ´¤¯Æ±¤¸¤³¤È¤Ç¤¹¡£¥»¥­¥å¥ê¥Æ¥£¶¯Å٤Ͼ夬¤é¤º¡¢°Ü¹Ô¤Î±¿ÍѤÏÊ£»¨¤Ë¤Ê¤ë¤Î¤Ç¤¹¡£
    hpkp-multipin

    ½¾¤Ã¤Æ¡¢¾ÚÌÀ½ñ¥Á¥§¡¼¥óÃæ¤ÇÊ£¿ô¤Î¥Ô¥ó¤ò¤Ä¤±¤Æ¤â°ÕÌ£¤¬¤Ê¤¯¡¢¤«¤¨¤Ã¤Æ±¿ÍѤ¬Ê£»¨¤Ë¤Ê¤ë¤À¤±¤Ê¤Î¤Ç¡¢»ß¤á¤¿¤Û¤¦¤¬¤è¤¤¤È¤¤¤¦¤³¤È¤¬¸À¤¨¤Þ¤¹¡£

    4.7. Ʊ¤¸CA¾ÚÌÀ½ñ¤ËPin¤·Â³¤±¤ë¾ì¹ç¤Î²ÝÂê

    º£¸åÅöÌ̤ϡ¢Æ±¤¸¥ë¡¼¥Èǧ¾Ú¶É¡¢Ãæ´Öǧ¾Ú¶É¤«¤éȯ¹Ô¤·¤Æ¤â¤é¤¦¾ì¹ç¤Ë¡¢¤½¤Îǧ¾Ú¶É¤Î¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ËPin¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤½¤Î¾ì¹ç¤Ë¤Ï¡¢¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤Ï¡¢Ç§¾Ú¶É¤«¤é°Ü¹ÔÀè¤ÎPin¤ò¶µ¤¨¤Æ¤â¤é¤¨¤ë¤ï¤±¤Ç¤Ï¤Ê¤¤¤Î¤Ç¡¢¤Ê¤ó¤Ç¤âŬÅö¤ÊÃͤÇÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£¸ø³«¸°¤Î¥Ï¥Ã¥·¥å¤Ç¤¢¤ëɬÍפâ¤Ê¤¯¡¢32¥Ð¥¤¥È¤ÎÃͤÎBase64ɽ¸½¤Ç¤¢¤ì¤Ð(¾×Æͤ·¤Ê¤±¤ì¤Ð)²¿¤Ç¤âÎɤ¤¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£

    ¤¿¤À¤·¡¢¡ÖÅöÌ̤ϡפȽñ¤­¤Þ¤·¤¿¤¬¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë»ÈÍѤ·¤Æ¤¤¤¿Ãæ´Öǧ¾Ú¶É¤¬¡¢¼¡¤Î¾ÚÌÀ½ñȯ¹Ô»þ¤Ë¤âƱ¤¸Ãæ´Öǧ¾Ú¶É¡¢Æ±¤¸¸ø³«¸°¤Ç¤¢¤ë¤È¤¤¤¦Êݾڤ¬¤¢¤ê¤Þ¤»¤ó¡£°Ê²¼¤ÎÍýͳ¤Ë¤è¤ê¡¢Æ±¤¸Ãæ´ÖCA¾ÚÌÀ½ñ¤¬»È¤ï¤ì¤Ê¤¤²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£

    • Ãæ´ÖCA¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤Ï¡¢5ǯ¤«¤é10ǯÄøÅ٤Ǥ¹¡£¤½¤ÎÍ­¸ú´ü¸Â¤ÎȾʬÄøÅÙ¤«¤é¡¢ºÇŤǤâ2¡¢3ǯ¤ò»Ä¤·¤Æ¡¢¤½¤ÎÃæ´Öǧ¾Ú¶É¤«¤é¤Ï¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤Ê¤¯¤Ê¤ê¡¢ÍøÍѼԤÏÊ̤ÎCA¤«¤é¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¦¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    • ¾ÚÌÀ½ñ¤Îȯ¹Ô¿ôËç¿ô¤¬Â¿¤¯¤Ê¤ë¤È¡¢¤½¤ì¤À¤±¡¢¾ÚÌÀ½ñ¼º¸ú¥ê¥¹¥È(CRL)¤Î¥µ¥¤¥º¤âÂ礭¤¯¤Ê¤ê¤Þ¤¹¤Î¤Ç¡¢°ì¤Ä¤ÎÃæ´ÖCA¤«¤éȯ¹ÔËç¿ô¤òÀ©¸Â¤·¤Æ¡¢°Ê¹ß¤Î¾ÚÌÀ½ñȯ¹Ô¤Ï¡¢¿·¤·¤¤Ãæ´ÖCA¤«¤éȯ¹Ô¤µ¤»¤ë¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£
    • ¶áǯ¡¢Ç§¾Ú¶É¤Î±¿ÍѾå¤ÎÉÔÈ÷¡¢¥µ¥¤¥Ð¡¼¹¶·â¤Ê¤É¤«¤é¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹Á´ÂΤ䡢ÆÃÄê¤ÎÃæ´ÖCA¤¬±¿ÍÑÄä»ß¡¢¥µ¡¼¥Ó¥¹½ªÎ»¤Ë¤Ê¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    ¤³¤Î¤è¤¦¤Ê¾ì¹ç¤Ë¤Ï¡¢Æ±¤¸Ãæ´ÖCA¤ÎPin¤ò»È¤¦¤³¤È¤¬¤Ç¤­¤Þ¤»¤ó¡£

    Í­¸ú¤ÊPin¤òÀßÄꤷ¤¿Æ±¤¸¥ë¡¼¥ÈCA¤â¤·¤¯¤ÏÃæ´ÖCA¤«¤é¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤¬È¯¹Ô¤·¤Æ¤â¤é¤¨¤Ê¤¤¤È¤ï¤«¤Ã¤¿ºÝ¤Ë¡¢Ê̤ξÚÌÀ½ñ¤Î°Ü¹Ô¤Ï¡¢¤¹¤°¤Ë¤Ï¤Ç¤­¤º¡¢max-age¤Ç»ØÄꤷ¤¿´ü´Ö¡¢°ìÈ̤ˤÏ1¥ö·î¤«¤é1ǯÄøÅ٤ϡ¢¾ÚÌÀ½ñ¤ÎÆþ¤ìÂؤ¨¤¬¤Ç¤­¤Þ¤»¤ó¡£ºÇ°­¤Î¾ì¹ç¡¢¤½¤Î´ü´Ö¡¢Í­¸ú¤ÊHTTPSÄÌ¿®¤¬¤Ç¤­¤Ê¤¤¤È¤¤¤¦»ö¤â¤¢¤ê¤¨¤Þ¤¹¡£

    ¤³¤Î¤è¤¦¤Ê±Æ¶Á¤ò¡¢·Ú¸º¤¹¤ëÊýË¡¤¬Ìµ¤¤¤ï¤±¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¡£¾ÚÌÀ½ñ¤ò¹¹¿·¤¹¤ë¤ÈȽÃǤ·¡¢Æ±¤¸Ãæ´ÖCA¤«¤é¾ÚÌÀ½ñ¤¬È¯¹Ô¤Ç¤­¤Ê¤¤¤È¤ï¤«¤Ã¤¿»þÅÀA¤Ç¡¢¤½¤³¤«¤émax-age·Ð²á¤·¤¿»þÅÀB¤òµ­Ï¿¤·¤Æ¤ª¤­¡¢¿·¤·¤¤¾ÚÌÀ½ñ¤ò¼èÆÀ¤·¤Þ¤¹¡£(¤¬»È¤¤¤Þ¤»¤ó¡£)¡£¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤·¤Æ¡¢¤½¤Î¿·¤·¤¤¾ÚÌÀ½ñ¤ÎÊ̤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤Î¸ø³«¸°¤ÎPin¤ò¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Î¥Ø¥Ã¥À¤ËÀßÄꤷ¤Þ¤¹¡£»þÅÀB¤Ë¤Ê¤Ã¤Æ¡¢½é¤á¤Æ¿·¤·¤¤¾ÚÌÀ½ñ¤Ø¤ÎÆþ¤ìÂؤ¨¤ò¼Â»Ü¤·¤Þ¤¹¡£¤³¤Î»ö¤«¤é¡¢max-age¤ò1ǯÅù¡¢Ä¹¤¯¤È¤ì¤Ðµ¶¥µ¥¤¥È¤ÎËɻߤˤÏÌòΩ¤Á¤Þ¤¹¤¬¡¢º£½Ò¤Ù¤¿¤è¤¦¤Ê¾ÚÌÀ½ñ¹¹¿·¤Î¥ê¥¹¥¯¤â¤¢¤ê¡¢È¾·î¤«¤é1¥ö·îÄøÅÙ¤ËÀßÄꤹ¤ë¤Î¤¬ÂÅÅö¤Ê¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    4.8. 2¤Ä¤ÎCA¾ÚÌÀ½ñ¤ËPin¤¹¤ë¾ì¹ç¤Î²ÝÂê

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¹¹¿·¤ÎºÝ¤Ë¡¢2¤Ä¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¡¢Î㤨¤ÐSymantec¤ÈGlobalSign¤ò¸ò¸ß¤Ë¾è¤ê´¹¤¨¤ë¤È¤·¤Æ¡¢¤³¤ì¤é2¤Ä¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤ò¥Ø¥Ã¥À¤ËÀßÄꤷ¡¢»ÈÍѤ·¤Æ¤Ê¤¤¤Ê¤¤Êý¤ò¥Ð¥Ã¥¯¥¢¥Ã¥×Pin¤È¤¹¤ë¤Î¤Ï¡¢¤Ê¤«¤Ê¤«¸­¤¤ÊýË¡¤À¤È»×¤¤¤Þ¤¹¡£
    hpkp-two

    ¤·¤«¤·¤Ê¤¬¤é¡¢Á°½Ò¤ÎÍýͳ¤Ë¤è¤ê¡¢Symantec¤Î¼¡¤Ëȯ¹Ô¤·¤Æ¤â¤é¤ª¤¦¤ÈͽÄꤷ¤Æ¤¤¤¿GlobalSign¤ÎÃæ´ÖCA¾ÚÌÀ½ñ¤ÎPin¤¬»È¤¨¤Ê¤¤¥±¡¼¥¹¤¬¤¢¤ê¤Þ¤¹¡£

    °Ê¾å¤Î¤è¤¦¤Ë¡¢CA¾ÚÌÀ½ñ¤ËPin¤òÂǤĥ±¡¼¥¹¤Ç¤Ï¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Îµ¤¤Þ¤°¤ì¤Ë¥Ó¥¯¥Ó¥¯¤·¤Ê¤¬¤é¡¢¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤ÎHPKP¤ò±¿ÍѤ¹¤ë¤Î¤Ï¤È¤Æ¤âÌÌÅݤÀ¤È»×¤¤¤Þ¤»¤ó¤«? ¤½¤ì¤Ê¤é¡¢¤Þ¤À¡¢¼«Ê¬¤Ç¥³¥ó¥È¥í¡¼¥ë¤Ç¤­¤ëSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤ËPin¤òÂǤÄÊý¤¬¡¢ÌÌÅݤǤâÎɤ¤¤è¤¦¤Êµ¤¤â¤·¤Æ¤­¤Þ¤¹¡£

    4.9. max-age¤Î¥ª¥¹¥¹¥áÃͤò¹Í¤¨¤ë

    RFC 7469 4.1Àá¤Î ¥»¥­¥å¥ê¥Æ¥£¹Í»¡¤Ë¤ª¤¤¤Æ¡¢max-age¤ÎºÇÂçÃͤˤĤ¤¤Æ°Ê²¼¤Î¤è¤¦¤Ëµ­ºÜ¤µ¤ì¤Æ¤ª¤ê¡¢ ¡Ö60Æü¤¬¥Ð¥é¥ó¥¹¤Î¼è¤ì¤¿Ãͤ«¤â¤Í¡×¤È¸À¤Ã¤Æ¤¤¤Þ¤¹¡£

    RFC 7469 4.1. Maximum max-age ¤è¤ê
    However, a value on the order of 60 days (5,184,000 seconds) may be considered a balance between the two competing security concerns.
    ¤¿¤À¡¢5¾Ï¤ÎScott Helme»á¤ÎHPKPÂбþ¥É¥á¥¤¥ó¥ê¥¹¥È¤Ë´ð¤Å¤¤¤¿»ä¤ÎÄ´ºº¤Ç¤Ï¡¢ ¤Þ¤È¤â¤Ê±¿ÍѤò¤·¤Æ¤¤¤ëÀßÄê¤ÎÃæ¤Ç¤Ï¡¢ 30Æü¤¬26%¡¢¼¡¤¤¤Ç60Æü¤¬19%¤È¿¤¤¤Ç¤¹¡£

    max-age¤ÎÃͤ¬Ä¹¤¹¤®¤ë¤È¡¢

    • ÀßÄê¥ß¥¹¤Ë¤è¤ë¾ã³²È¯À¸»þ¤ËĹ´ü´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¤¬½Ð¤Æ¤·¤Þ¤¦
    • Í­¸ú´ü´Ö¤Î¥ª¡¼¥Ð¡¼¥é¥Ã¥×¤¬É¬Íפʾì¹ç¡¢¼Â¼ÁŪ¤Ê¾ÚÌÀ½ñÍ­¸ú´ü´Ö¤¬Ìܸº¤ê¤·¤Æ±¿ÍÑ¥³¥¹¥È¤Ë±Æ¶Á¤¹¤ë
    ¤È¤¤¤¦¥ê¥¹¥¯¤Ë¤Ä¤¤¤Æ¡¢4.2Àá¤ÇÀâÌÀ¤µ¤»¤Æ夭¤Þ¤·¤¿¤¬¡¢ µÕ¤Ë¡¢max-age¤¬Ã»¤¹¤®¤ë¤È¤É¤¦¤Ê¤ë¤Î¤Ç¤·¤ç¤¦¤«¡©

    ´Êñ¤Ë¤Ï¡¢¥Ë¥»¤ÎHTTPS¥µ¥¤¥È¤Ë¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤¯¤Ê¤ë¤È¤¤¤¦»ö¤«¤È»×¤¤¤Þ¤¹¡£ ËÜʪ¥µ¥¤¥È¤Îmax-age¤¬Ã»¤¯¤Æ¡¢Í­¸ú´ü¸Â¤¬Àڤ줿¥¿¥¤¥ß¥ó¥°¤Ç¡¢¥É¥á¥¤¥ó¾è¼è¤êÅù¤ÎÈï³²¤Ë¤¢¤Ã¤Æ µ¶¥µ¥¤¥È¤¬ºî¤é¤ì¡¢¤½¤³¤Ç1ǯÅùŤ¤max-age¤ÎHPKP¥Ø¥Ã¥ÀÂбþ¤Î¥Ë¥»¥µ¥¤¥È¤¬ºî¤é¤ì¤¿¤È¤¹¤ë¤È¡¢ °ìÅÙ¤½¤Î¤è¤¦¤Ë¤Ê¤ì¤Ð¡¢ÅöÌÌ1ǯ´Ö¤Ï¡¢¥Ë¥»¥µ¥¤¥È¤Ë¤·¤«·Ò¤²¤Ê¤¤¤è¤¦¤Ê¥æ¡¼¥¶¤¬È¯À¸¤¹¤ë¤³¤È¤¬¤¢¤ê¤Þ¤¹¡£
    hpkp-maxage
    max-age¤¬Ã»¤¤¤È¡¢¤½¤ì¤À¤±¹¶·â¤Î¥Á¥ã¥ó¥¹¤ÏÁý¤¨¤ë¤¿¤á¡¢max-age¤Ï¤¢¤ëÄøÅÙŤ¯¤·¤Æ¤ª¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

    ÍÍ¡¹¤Ê¾ðÊ󥽡¼¥¹¤«¤é¡¢ ¥Ë¥»¥µ¥¤¥È¤òºî¤é¤ì¤Æ¤¤¤¿¤Èµ¤¤Å¤¯¤Þ¤Ç¤Ë¡¢¤½¤ì¤Û¤É»þ´Ö¤Ï¤«¤«¤é¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£ ¿ôÆü¤«¤é1½µ´Ö¤â¤¢¤ì¤ÐÌäÂê¤Ëµ¤¤Å¤¯¤È»×¤¤¤Þ¤¹¡£ Ⱦ·î¤ä1¥ö·î¤âµ¤¤Å¤«¤Ê¤¤¤Þ¤Þ¤¤¤ë»ö¤Ï¤Ê¤¤¤Ç¤·¤ç¤¦¡£ ¡Ö¥Ë¥»HTTPS¥µ¥¤¥ÈÌäÂê¤Ëµ¤¤Å¤¯¤Þ¤Ç¤ËÃÙ¤¯¤È¤â¤É¤ì¤¯¤é¤¤¤«¤«¤ë¤«¡×¤Ë¤è¤Ã¤Æ max-age¤ÎºÇ¾®Ãͤò·è¤á¤ë¤Î¤¬¤è¤¤¤È»×¤¤¤Þ¤¹¡£

    ½¾¤Ã¤Æ¡¢¹¶·â¤È²ÄÍÑÀ­¤Î¥ê¥¹¥¯¤Î¥È¥ì¡¼¥É¥ª¥Õ¤Ç¡¢»ä¤Ïmax-age¤ò15Æü¤«30ÆüÄøÅÙ¤Ë ÀßÄꤹ¤ë¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    5. HPKP¤Ï¤É¤ÎÄøÅٻȤï¤ì¤Æ¤¤¤ë¤Î¤«

    2016ǯ3·î¤ÎNetcraft¼Ò¤ÎSSLÍøÍÑÄ´ºº¤Ë¤è¤ì¤Ð¡¢À¤³¦¤Ç¤ï¤º¤«0.09%¤Î4100¥µ¥¤¥È°Ê²¼¤°¤é¤¤¤·¤«¡¢HPKP¤òÀßÄꤷ¤Æ¤ª¤é¤º¡¢ÀßÄê¤Î¸í¤ê¤â¿¤¤¤½¤¦¤Ç¡¢Àµ¤·¤¯ÀßÄê¤Ç¤­¤Æ¤¤¤ë¤Î¤Ï¡¢¤½¤Î¤¦¤Á3000¥µ¥¤¥ÈÄøÅ٤ʤΤÀ¤½¤¦¤Ç¤¹¡£

    ¤Þ¤¿¡¢CSP(Content Security Policy)¤äHPKP¤Ë¾Ü¤·¤¯¡¢HPKP¤Î¸¡¾Ú¤ä¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È¤ò±¿±Ä¤·¤Æ¤¤¤ëScott Helme»á¤Î¥Ö¥í¥°¤Ë¤è¤ì¤Ð¡¢Alexa¾å°Ì100Ëü¤Î¥µ¥¤¥È¤Î¤¦¤ÁHPKP¤òÀßÄꤷ¤Æ¤¤¤ë¤Î¤Ï¡¢¤ï¤º¤«375¥µ¥¤¥È¤Ç¤¢¤Ã¤¿¤È¤¤¤¦Êó¹ð¤â¤¢¤ê¤Þ¤¹¡£

    Scott Helme»á¤Ï¡¢Ä´ºº¤ÎºÝ¤Î¥Ç¡¼¥¿¤â¸ø³«¤·¤Æ¤ª¤ê¡¢2016ǯ8·î»þÅÀ¤Ç¤ÎHPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó̾¥ê¥¹¥È448·ï¤¬¤¢¤Ã¤¿¤Î¤Ç¡¢¤½¤ì¤ò¥Ù¡¼¥¹¤Ë2017ǯ2·î¸½ºß¤Ç¤âHPKP¥Ø¥Ã¥À¤òÊÖ¤¹¥µ¥¤¥È283·ï¤ËÂФ·¤Æ¾¯¤·Ä´ºº¤·¤Æ¤ß¤Þ¤·¤¿¡£

    hpkp-graph1
    ¤Þ¤º¡¢HPKP¥Ø¥Ã¥À¤È¤·¤ÆÀµ¤·¤¤¥Õ¥©¡¼¥Þ¥Ã¥È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤«¡¢¤Þ¤¿¡¢»ÅÍ;åPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä°Ê¾åɬÍפǤ¹¤¬¡¢2¤Ä°Ê¾å¤¢¤ë¤«¤È¤¤¤¦´ÑÅÀ¤Ç¡¢¥Ø¥Ã¥À¤¬¤É¤ÎÄøÅÙÀµ¤·¤¤¤«¤òÄ´¤Ù¤Þ¤·¤¿¡£16%¤ÏÀßÄ꤬Àµ¤·¤¯¤Ê¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£´Ö°ã¤Ã¤Æ¤¤¤ë¤â¤Î¤ÎÃæ¤Ë¤Ï¡¢pin-sha256°À­¤¬Ìµ¤¤¡¢pin-sha256¤ÎÃͤ¬ÉÔŬÀÚ¡¢pin-sha256°À­¤¬°ì¤Ä¤·¤«¤Ê¤¤¡¢¤Ê¤ÉÍÍ¡¹¤Ç¤¹¡£Î㤨¤Ð¤³¤ó¤Ê¤â¤Î¤¬¤¢¤ê¤Þ¤·¤¿¡£
    • ...
    • pin-sha256="base64+info1="; max-age=3
    hpkp-graph2
    ¼¡¤Ë¡¢HPKP¥Ø¥Ã¥À¤ÎPIN¤Î¥Ï¥Ã¥·¥åÃͤθĿô¤Ç¤¹¡£°ìÈ̤ˤÏPIN¤Î¥Ï¥Ã¥·¥åÃͤÏ2¤Ä¤Ç½½Ê¬¤Ç¡¢2¤Ä¤È¤Ê¤Ã¤Æ¤¤¤ë¥µ¥¤¥È¤¬Â¿¤¯Àê¤á¤Þ¤¹¤¬¡¢1¸Ä¤·¤«¤Ê¤¤¸í¤Ã¤¿¥µ¥¤¥È¤ä¡¢3¤Ä°Ê¾å¤òÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£15¸ÄÀßÄꤷ¤Æ¤¤¤ë¤È¤¤¤¦ÌԼԤ⤢¤ê¤Þ¤·¤¿¡£
    hpkp-graph3
    HPKP¤ÇÍ­¸ú¤Ê¸ø³«¸°¥Ï¥Ã¥·¥å¤ÎÊݸ´ü´Ö¤òÄê¤á¤Æ¤¤¤ë¤Î¤¬¡¢max-age¤ÎÃͤǤ¹¡£RFC¤Ç¤Ï¡¢60Æü¤ò¿ä¾©¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¼ÂºÝ¤Ë¤Ï30Æü¤òÀßÄꤹ¤ë¥µ¥¤¥È¤¬Â¿¤¤¤È¤ï¤«¤ê¤Þ¤¹¡£¤Þ¤¿¡¢¥Æ¥¹¥ÈÃæ¤Ê¤Î¤«1Æü°Ê²¼¤Ë¤·¤Æ¤¤¤ë¥µ¥¤¥È¤âÁêÅö¿ô¤¢¤ê¤Þ¤¹¡£Ã»¤¤¤È¥µ¥¤¥È¤ò¾è¤Ã¼è¤é¤ì¤ë²ÄǽÀ­¤¬¹â¤Þ¤ê¤Þ¤¹¤·¡¢Ä¹¤¹¤®¤ë¤ÈÀßÄê¤Ë¼ºÇÔ¤·¤¿¾ì¹ç¤½¤Î´ü´ÖÀܳÉÔǽ¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£1ǯ¤Ê¤É¤ÈÀßÄꤹ¤ë¤È¡¢ÀßÄ꼺ÇÔ¤·¤Æ¤¤¤¿¤é1ǯ´ÖÀܳ¤Ç¤­¤Ê¤¤¥æ¡¼¥¶¡¼¤¬½Ð¤Æ¥¯¥ì¡¼¥à³Î¼Â¤Ê¤Î¤Ë¶²¤í¤·¤¤¤Ç¤¹¤Í¡£
    hpkp-graph4
    report-uri¤òÀßÄꤹ¤ë¤È¡¢Âбþ¥Ö¥é¥¦¥¶¤Ê¤é¤Ð¡¢HPKP¤Î¥¨¥é¡¼¤ÎºÝ¤Ë»ØÄꤷ¤¿URL¤Ë¥ì¥Ý¡¼¥È¤òÁ÷¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£Jxck¤µ¤ó¤Î¥µ¥¤¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¤¬¡¢¤Þ¤À¤Þ¤ÀÀßÄꤷ¤Æ¤¤¤ë¥µ¥¤¥È¤Ï¾¯¤Ê¤½¤¦¤Ç¤¹¡£
    hpkp-graph5
    HPKP¥Ø¥Ã¥À¤ÎÃͤˤϡ¢includeSubDomain¤È¤¤¤¦¥×¥í¥Ñ¥Æ¥£¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£¤³¤ì¤ò¤Ä¤±¤ë¤Èexample.com¤ËHPKP¤òÀßÄꤷ¤Æ¤ª¤±¤Ð¡¢sub1.example.com¥É¥á¥¤¥ó¤ËÂФ·¤Æ¤âŬÍѤµ¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£
    hpkp-graph6
    HPKP¥Ø¥Ã¥À¤È¤·¤Æ¡¢Ä̾ï¤Ï"Public-Key-Pins"¤ò»È¤¤¤Þ¤¹¤¬¡¢"Public-Key-Pins-Report-Only"¤ò»È¤¨¤Ð¡¢¥Ö¥é¥¦¥¶¤ÏHPKP¤ò¸¡¾Ú¤»¤º¤Ë¡¢¥¨¥é¡¼¤È¤Ê¤Ã¤Æ¤âHTTPSÀܳ¤Ï³¤±¤é¤ì¤ë¥Æ¥¹¥ÈÍѤε¡Ç½¤¬¤¢¤ê¤Þ¤¹¡£Ìó10%¤Î¥µ¥¤¥È¤¬¤³¤Î¥Æ¥¹¥ÈÍѤÎÀßÄê¤ò»È¤Ã¤Æ¤¤¤ë¤È¤ï¤«¤ê¤Þ¤¹¡£
    hpkp-graph7
    Scott Helme»á¤Î2017ǯ»þÅÀ¤ÇÀܳ²Äǽ¤ÊHPKPÂбþ¥µ¥¤¥È283·ï¤Î¤¦¤ÁgTLD(com¡¢orgÅù)¡¢ccTLD(de¡¢ru¡¢jpÅù)Ê̤˷ï¿ô¤òÄ´¤Ù¤Æ¤ß¤ë¤È¡¢com¤¬Â¿¤¤¤Î¤ÏÅöÁ³¤Ç¤È¤·¤Æ¡¢¼ÂºÝ¤Î³ÆTLD¤ÎÅÐÏ¿·ï¿ô¤ËÈæ³Ó¤·¤Æ¸²Ãø¤Ë¿¤¤TLD¤¬¸«¤é¤ì¤Þ¤·¤¿¡£com¤Ï1.3²¯¡¢net¤Ède¤Ï1600Ëü¡¢ru¤Ï540Ëü¥É¥á¥¤¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¥É¥á¥¤¥óÅÐÏ¿¿ô¤ËÈæ¤Ù¤Æ¡¢ÈæΨŪ¤Ëru¡¢org¡¢de¤ÏÆͽФ·¤Æ¿¤¯¤Þ¤¿¡¢¥°¥é¥Õ¾å¤Ï¤½¤Î¾¤È¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¥Þ¥¤¥Ê¡¼¤ÊccTLD¤Î¹ñ¤Ë¤Ä¤¤¤Æ¤â¡¢Èæ³ÓŪHPKPÀßÄ꤬¿¤¤¹ñ¤¬¤¢¤ê¤Þ¤¹¡£¤Þ¤¿¡¢edu¤¬°Û¾ï¤Ë¾¯¤Ê¤¤¤Î¤âµ¤¤Ë¤Ê¤ê¤Þ¤·¤¿¡£¤½¤Î¾¤Ë¤Ï¡¢ar/br/cl/il/pt/nl/tn/sk¤Ê¤É¡¢¥Þ¥¤¥Ê¡¼¤Ê¤â¤Î¤¬ 50¶á¤¯¤¢¤ê¤Þ¤·¤¿¡£

    6. º£¤ÎHPKP¤Î²¿¤¬¤¤¤±¤Ê¤«¤Ã¤¿¤Î¤«

    hpkp¤ÎȯÁÛ¼«ÂΤϡ¢ÉÔÀµÈ¯¹Ô¤µ¤ì¤¿¾ÚÌÀ½ñ¤ò»È¤Ã¤¿µ¶¥µ¥¤¥È¤òËɤ°¤¿¤á¤Î»ÅÁȤߤȤ·¤ÆÍ­ÍѤǤ¢¤ê¡¢Chrome¤äFirefox¤Î¥Ö¥é¥¦¥¶ÁȤ߹þ¤ß¤Î¥×¥ê¥í¡¼¥È¥Ô¥ó¤Ï ¤¦¤Þ¤¯µ¡Ç½¤·¤Æ¤¤¤ë¤è¤¦¤Ë»×¤¨¤Þ¤¹¡£ ¤½¤Î°ìÊý¤ÇHPKP¥Ø¥Ã¥À¤ò»È¤Ã¤¿Êý¼°¤Ï¡¢ ¤«¤Ê¤ê±¿ÍѤ¬Ê£»¨¤ÇÆñ¤·¤¯¡¢¼ºÇÔ¤¹¤ë¤È 2¥ö·î¤È¤¤¤Ã¤¿¡¢Ä¹´ü´Ö¡¢°ìÉô¤Î¥æ¡¼¥¶¤ÏÀܳ¤Ç¤­¤Ê¤¤¤È¤¤¤¦¡¢¾ã³²¤¬È¯À¸¤¹¤ë¥ê¥¹¥¯¤â¹â¤¤¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£

    ¸Ä¿Í¤äÃæ¾®¤Î¥µ¥¤¥È¤ÇÉÔÀµ¾ÚÌÀ½ñ¤ò»È¤Ã¤Æ¤Þ¤Çµ¶¥µ¥¤¥È¤òºî¤ë¥á¥ê¥Ã¥È¤Ï¸«Åö¤¿¤é¤º¡¢¹¶·â¤ò¼õ¤±¤ë²ÄǽÀ­¤â¶Ë¤á¤ÆÄ㤤¤¿¤á¡¢HPKP¤ò»È¤Ã¤Æ¥µ¡¼¥Ó¥¹¾ã³²¤Î¥ê¥¹¥¯¤ò¼è¤Ã¤Æ¤Þ¤ÇHPKP¤òƳÆþ¤¹¤ëɬÍפϤʤ¤¤È»×¤¤¤Þ¤¹¡£

    ¤Ç¤Ï¡¢°ìÈÌ¥µ¥¤¥È¸þ¤±¤ËHPKP¤ÎÉáµÚ¤¬¿Ê¤à¤¿¤á¤Ë¤Ï¡¢±¿ÍѤΤ·¤ä¤¹¤¤¥µ¡¼¥Ó¥¹¾ã³²¤¬µ¯¤­¤Ë¤¯¤¤»ÅÍͤÎÊѹ¹¤¬É¬ÍפÀ¤È»×¤¤¤Þ¤¹¤¬¡¢¤É¤¦¤¹¤ì¤Ð¤³¤ì¤¬²Äǽ¤Ë¤Ê¤ë¤Ç¤·¤ç¤¦¤«¡©

    max-age¤ò2¥ö·î¤È²¾Äꤷ¤Æ¡¢ HPKP¥Ø¥Ã¥À¤Ç±¿ÍѾå¤Î²ÝÂê¤Ê¤Î¤Ï¡¢¾ÚÌÀ½ñ¹¹¿·¤Î2¥ö·îÁ°¤Ë¡¢¥Ô¥ó¤¬Êѹ¹¤Ë¤Ê¤ë¤Ê¤éÀßÄê¤ò»öÁ°ÀßÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤º¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤Æ¥Ø¥Ã¥ÀÀßÄê¤òľ¤·¤Æ¤â¡¢2¥ö·î¤ÏÄÌ¿®¾ã³²¤¬È¯À¸¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¹¡£

    ¤½¤³¤Ç¡¢´Ö°ã¤¨¤Ëµ¤¤Å¤¤¤¿»þ¤Ë¤Ï¡¢¤¹¤°¤ËÀßÄêÊѹ¹¤¬È¿±Ç¤Ç¤­¤¿¤ê¡¢¥µ¡¼¥Ð¡¼Â¦¤Ç»ÃÄêŪ¤Ë¥Ö¥é¥¦¥¶¤ÎHPKP¸¡¾Ú¤ò̵¸ú²½¤Ç¤­¤ë¥­¥ë¥¹¥¤¥Ã¥Á¤¬¤¢¤ë¤È¤è¤¤¤È»×¤¦¤Î¤Ç¤¹¡£¿¼¤¯¹Í»¡¤·¤¿Ìõ¤Ç¤Ï¤¢¤ê¤Þ¤»¤ó¤¬¡¢Î㤨¤Ð¡¢HPKP¹¹¿·Æü¤ò¥Ø¥Ã¥À¤Ëµ­ºÜ¤¹¤ë¤Ê¤É¤·¤Æ¡¢ÀßÄê¤Ë¹¹¿·¤¬¤¢¤ì¤Ðmax-age¤Ë´Ø¤ï¤é¤º¹¹¿·¤·¡¢Ìµ¸ú²½¤¹¤ë¤Ê¤é¡¢Ìµ¸ú²½¤¹¤ë¤È¤¤¤Ã¤¿µ¡Ç½¤òÄ󶡤¹¤ì¤Ð¡¢±¿ÍѤÏmax-age¤äÀßÄê¥ß¥¹¤Î¼öÇû¤«¤é²òÊü¤µ¤ì¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    ¾¤Ë¤â¤³¤ÎÌäÂê¤Î²ò·èÊýË¡¤Ï¤¢¤ë¤«¤â¤·¤ì¤Þ¤»¤ó¤¬¡¢²¿¤é¤«¤Î¼êÅö¤Æ¤ò¤·¤Ê¤¤¸Â¤ê¡¢HPKP¤ÏÉáµÚ¤·¤½¤¦¤Ë¤Ï¤¢¤ê¤Þ¤»¤ó¡£

    7. ¤ª¤ï¤ê¤Ë

    °Ê¾å¡¢HPKP¤Ë¤Ä¤¤¤Æ¡¢¤É¤³¤Ë¥Ô¥ó¤òÂǤĤ«¡¢max-age¤Ï¤É¤¦¤¹¤ë¤«¤Ê¤É±¿ÍÑÌ̤«¤é¡¢ ¤¤¤í¤¤¤í¹Í»¡¤äÀ°Íý¤ò¤·¤Æ¤ß¤Þ¤·¤¿¡£ ¸½»þÅÀ¤Ç¤Ï¡¢HPKP¤òƳÆþ¤¹¤ë¤Î¤Ï»þ´ü¾°Áá¤Ç¡¢ ±¿ÍѤËÉéô¤ò¤«¤±¡¢¥µ¡¼¥Ó¥¹Ää»ß¤Î¥ê¥¹¥¯¤â¹â¤¤¤È¤¤¤¦¤³¤È¤â ¤´Íý²ò¤¤¤¿¤À¤±¤¿¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ¤³¤ì¤Ç¡¢¼«Ê¬¤¬HPKP¤Ë¤Ä¤¤¤ÆÁ°¤«¤é½ñ¤­¤¿¤¤¤È»×¤Ã¤Æ¤¤¤¿¤³¤È¤ò¡¢ Íî¤ÁÃ夤¤ÆÀ°Íý¤Ç¤­¡¢3ǯ±Û¤·¤°¤é¤¤¤ËÅǤ­½Ð¤»¤Þ¤·¤¿¡£ ¤ï¤«¤ê¤Ë¤¯¤«¤Ã¤¿¤ê¡¢Íý²ò¤¬´Ö°ã¤Ã¤Æ¤¤¤¿¤é¤¹¤ß¤Þ¤»¤ó¡£ ¸Ä¿ÍŪ¤Ë¤Ï¡¢HPKP¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤³¤ì¤Ç¤ï¤À¤«¤Þ¤ê¤È¤«¥â¥ä¥â¥ä´¶¤È¤¤¤¦¤Ï³µ¤Í ʧ¿¡¤µ¤ì¤¿¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£ ¤Þ¤¡¡¢¡Ö¥Ö¥í¥°¤Ê¤ó¤Æ¤½¤ó¤Ê¥â¥Î¤è¤Í¡×¤Ã¤Æ¤³¤È¤Ç¡¢¡¢¡¢£÷

    8. (»²¹Í) HPKP´ØÏ¢¤ÎÊÙ¶¯¤Ë¤Ê¤ë¥ê¥ó¥¯

    Netcraft: Secure websites shun HTTP Public Key Pinning
    HPKP¤¬Î®¹Ô¤Ã¤Æ¤¤¤Ê¤¤¤³¤È¤ÎÅý·×¡£¤Ê¤¼Î®¹Ô¤é¤Ê¤¤¤«¤Î²òÀâ¡£Îɵ­»ö¡£
    Netcraft: HTTP Public Key Pinning: You're doing it wrong!
    Netcraft¼Ò¤Î¡¢À¤¤ÎÃæ¤ÎHPKPÂбþ¥µ¥¤¥È¤ÎÀßÄê¸í¤ê¤Ë´Ø¤¹¤ë²òÀâ¡£Îɵ­»ö¡£
    Scott Helme¤µ¤ó¤ÎHPKP¥Ö¥í¥°µ­»ö
    CSP¤äHSTS¤äHPKP¤Ê¤ÉSSL´ØÏ¢µ»½Ñ¤ÎÀìÌç²È¤Ç¡¢HPKP¤Ê¤É¤Î¥ì¥Ý¡¼¥ÈÀ襵¥¤¥È report-uri.io ¤ò ±¿±Ä¤·¤Æ¤¤¤ëScott Helme¤µ¤ó¤Î¥Ö¥í¥°¡£HPKPÂбþ¥µ¥¤¥È¤Î¥É¥á¥¤¥ó¥ê¥¹¥È¤Ê¤É¤Î¥Ç¡¼¥¿¤â¤¢¤ê¤Þ¤¹¡£
    Qualys Blog: Is HTTP Public Key Pinning Dead?
    Ivan Ristic»á¤Î¡¢¡ÖHPKP¤¬½ª¤ï¤Ã¤Æ¤¤¤ë¤«¡©¡×¤Ë´Ø¤¹¤ëµÄÏÀ¡£
    Raymii.org: HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd
    ²òÀâ¤Ï½¼¼Â¡£³Æ¥µ¡¼¥Ð¡¼Ëè¤ÎHPKP¥Ø¥Ã¥À¤ÎÀßÄêÎã¡£
    MDN: Public Key Pinning
    Mozilla¤Ë¤è¤ëHPKP²òÀâ¡£Chrome¤äFirefox¤Ç¤ÎHPKPÂбþ¥Ð¡¼¥¸¥ç¥ó¤Îµ­½Ò¡£¥µ¡¼¥Ð¡¼ÀßÄêÎã ¥ì¥Ý¡¼¥Èµ¡Ç½¤Ï¿·¤·¤¤Chrome¤·¤«»È¤¨¤Ê¤¤»ö¤Î¸ÀµÚ¤Ê¤É¡¢»²¹Í¤Ë¤Ê¤ë¡£
    Public Key Pinning¤Ë¤Ä¤¤¤Æ - Chris Palmer (¸¶Ê¸)
    Chris Palmer¤Ë¤è¤ëHPKP²òÀâ¡£¸í²ò¤â¤¢¤ë¤¬¡¢½é¤á¤Æ¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤Î¤É¤³¤Ë¥Ô¥ó¤òÀßÄꤹ¤ë¤«¡¢¤½¤Î¥±¡¼¥¹Ê¬¤±¤Ë¤Ä¤¤¤Æ¹Í»¡¤·¤¿µ­»ö¡£
    ¤Ü¤Á¤Ü¤ÁÆüµ­¡§ÉÔÀµ¤ÊSSL¾ÚÌÀ½ñ¤ò¸«ÇˤëPublic Key Pinning¤ò»î¤¹
    jovi¤µ¤ó¤Ë¤è¤ëHPKP(¥É¥é¥Õ¥È)¤Ë´Ø¤¹¤ë¾ÜºÙ¤«¤Ä¹­ÈϤʲòÀâ¤Ç¤¹¡£
    Jxck¤µ¤ó¤Î¥Ö¥í¥°¡§Public Key Pinning for HTTP(HPKP) Âбþ¤È report-uri.io ¤Ç¤Î¥ì¥Ý¡¼¥È¼ý½¸
    Jxck¤µ¤ó¤Î²òÀâ¡£ÆäËreport-uri¤Îµ¡Ç½¤ò»î¤·¤Æ¤ß¤¿Êó¹ð¤¬µ®½Å¡£
    ¸ø³«¸°¥Ô¥ó¥Ë¥ó¥°¤Ë¤è¤ë¥æ¡¼¥¶ÄÉÀ× HPKP Supercookies
    º£²ó¤Îµ­»ö¤È¤Ï¤¢¤Þ¤ê´Ø·¸¤Ê¤¤¤Ç¤¹¤¬¡¢ ¤Ë¤·¤à¤Í¤¢¤µ¤ó¤ÎHPKP¤ò»È¤Ã¤¿¥¯¥Ã¥­¡¼¤ò»È¤ï¤Ê¤¤¥æ¡¼¥¶¡¼ÆÃÄê¤ÎÌÌÇò¤¤»î¤ß¤Ë´Ø¤¹¤ë¥¹¥é¥¤¥É»ñÎÁ¡£
    OWASP: Certificate and Public Key Pinning
    OWASP¤Î²òÀâµ­»ö¡£ÌµÂ̤ʾðÊó¤â¿¤¤¡£

    9. Äɵ­

    9.1. Äɵ­(2017.02.26) HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·

    caniuse.com¥µ¥¤¥È¤Ç¤ÏÍÍ¡¹¤Ê¥Ö¥é¥¦¥¶¤Îµ¡Ç½¤Î¥µ¥Ý¡¼¥È¾õ¶·¤ò¾ðÊóÄ󶡤·¤Æ¤¤¤Þ¤¹¤¬¡¢ 2017ǯ2·î»þÅÀ¤Ç¤Î HPKP¤Î¥Ö¥é¥¦¥¶¥µ¥Ý¡¼¥È¾õ¶·¤Ë¤Ä¤¤¤Æ¤â µ­ºÜ¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¡¢¼¨¤·¤Æ¤ª¤­¤Þ¤¹¡£Firefox¡¢Chrome¡¢Opera¡¢AndroidÈÇChrome¤Ç¤Ï ¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ì°Ê³°¤Ç¤Ï¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Þ¤»¤ó¡£
    hpkp-caniuse

    9.2. Äɵ­(2017.02.26) smashingmagazine.com¤ÇȯÀ¸¤·¤¿HPKP¾ã³²

    ¤½¤Î¸å¡¢HPKP¤Ë¤Ä¤¤¤Æ·Ñ³¤·¤ÆÄ´¤Ùʪ¤ò¤·¤Æ¤¤¤¿¤é¡¢ smashingmagazine.com¤Î¥Ö¥í¥°¤Ç¡¢ HPKP¤Ë¤è¤êȯÀ¸¤·¤¿Àܳ¾ã³²¤Ë¤Ä¤¤¤Æ¤Î¹Í»¡¤¬½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£ ¤³¤³¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë½ñ¤«¤ì¤Æ¤¤¤Þ¤·¤¿¡£

    • HPKP¤ÏÃæ´Ö¼Ô¹¶·â¤ËÂФ·¤ÆÍ­¸ú¤Êµ¡Ç½¤À¤¬
    • HPKP¤ÎÀßÄê¥ß¥¹¤Ç2016ǯ10·î21Æü¤«¤é25Æü¤Ë¤«¤±HTTPSÀܳ¾ã³²¤¬È¯À¸
    • ¾ÚÌÀ½ñ´ü¸ÂÀÚ¤ì¤ÇHPKP¥Ø¥Ã¥À¤ò¹¹¿·¤·¤¿¤é¥¨¥é¡¼¤Ë¤Ê¤Ã¤¿
    • ¤¹¤Ç¤Ë¾ÚÌÀ½ñ¤Ï´ü¸ÂÀÚ¤ì¤Ç¥í¡¼¥ë¥Ð¥Ã¥¯¤Ï¤Ç¤­¤Ê¤¤
    ¶µ·±¤È¤·¤Æ¡¢¥Ö¥í¥°¤Ç¤Ï¡¢
    • ¶âÍ»¥µ¥¤¥È¤Ê¤É¤Ê¤é¤Ð¡¢HPKP¤ò»È¤¦²ÁÃͤϤ¢¤ë¤¬¡¢Ã±¤Ê¤ë¾ðÊóÄ󶡥µ¥¤¥È ¤Ê¤é¡¢¤½¤ÎɬÍפâ¤Ê¤¤¡£HPKPÀßÄê¥ß¥¹¤Ë¤è¤ë¥µ¡¼¥Ó¥¹Ää»ß¤Ï¡¢Ãæ´Ö¼Ô¹¶·â¤è¤ê¤âÂ礭¤Ê¶¼°Ò¤À
    • max-age¤òû¤¯¤¹¤ë¤³¤È¤Ë¤è¤êÌäÂê¤ò´ËϤǤ­¤ë
    »ä¤â¥µ¡¼¥Ó¥¹Äó¶¡ÉÔǽ¤ÎÊý¤¬¡¢Â礭¤ÊÌäÂê¤À¤È¤¤¤¦¤Î¤ÏƱ°Õ¤Ç¤¹¤¬¡¢ Á°¤Ë¤â½Ò¤Ù¤¿Ä̤ꡢmax-age¤òû¤¹¤®¤ëÃͤËÀßÄꤹ¤ë¤Î¤Ï·üÌ¿¤Ç¤Ï¤Ê¤¯¡¢Ãí°Õ¤¬É¬ÍפǤ¹¡£ ¤³¤Î¥µ¥¤¥È¤Ç¤Ï¡¢max-age¤ò1ǯ¤È¤·¤Æ¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢³Î¤«¤Ë¤³¤ì¤ÏŤ¹¤®¤Þ¤¹¡£ ¿·¤·¤¯ÀßÄꤵ¤ì¤¿HPKP¥Ø¥Ã¥À¤ò¸«¤Æ¤ß¤Þ¤·¤¿¤¬¡¢¸½¹Ô¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¾¤Ë 3¤Ä¥Ô¥ó¤¬ÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢max-age¤Ï1Æü¤ËÀßÄꤵ¤ì¤Æ¤ª¤ê¡¢¤¤¤í¤¤¤í¤ÈÀßÄê¤Ë¤ÏÌäÂ꤬¤¢¤ê¤½¤¦¤Ç¤¹¡£

    X.509¾ÚÌÀ½ñ¤Î¼±ÊÌ̾¤Ê¤É¤Ç»È¤ï¤ì¤ëMulti-valued RDN¤Èjsrsasign¤Î¥µ¥Ý¡¼¥È¤Ë¤Ä¤¤¤Æ

    µ×¡¹¤Ë¤Á¤ç¤Ã¤ÈPKI´ØÏ¢¥Í¥¿¤Ç¤¹¡£¤¤¤ï¤æ¤ë¥Ç¥¸¥¿¥ë¾ÚÌÀ½ñ(X.509¾ÚÌÀ½ñ)¤Ë¤Ï¡¢¼çÂμÔ̾(Subject Name)¤äȯ¹Ô¼Ô̾(Issuer Name)¤Ë¼±ÊÌ̾(DN: Distinguished Name)¤ò»È¤¤¤Þ¤¹¡£Î㤨¤Ð¡¢

    CN=yourname@example.com,O=example,C=JP
    ¤Î¤è¤¦¤Ê¤â¤Î¤Ç¤¹¡£¥«¥ó¥Þ¤Ç¶èÀڤä¿°ì¤Ä°ì¤Ä¤òÁêÂм±ÊÌ̾(RDN: Relative Distinguished Name)¤È¸Æ¤ó¤Ç¤¤¤Þ¤¹¡£
    O=example
    °ìÈÌŪ¤Ë¤ÏÁêÂм±ÊÌ̾(RDN)¤Ï¡¢¡Ö°ì¤Ä¤Î¡×°À­¥¿¥¤¥×¤È°À­ÃͤΥڥ¢(AttributeTypeAndValue) ¤è¤ê¹½À®¤µ¤ì¤Þ¤¹¡£
    °À­¥¿¥¤¥×=°À­ÃÍ
    O=example
    ¤¿¤À¡¢¡Ö°ìÈÌŪ¤Ë¤Ï¡×¤È½ñ¤¤¤¿Ä̤ꡢRDN¤Ë¤Ä¤¤¤ÆÊ£¿ô¤ÎAttributeTypeAndValue¤ò»ý¤Ä¤³¤È¤â²Äǽ¤Ç¤¹¡£¤³¤ì¤òMulti-valued RDN¤È¸Æ¤ó¤Ç¤ª¤ê¡¢¥×¥é¥¹"+"µ­¹æ¤Ç¤Ä¤Ê¤¤¤Ç°Ê²¼¤Î¤è¤¦¤Ëɽ¸½¤·¤Þ¤¹¡£
    °À­¥¿¥¤¥×1=°À­ÃÍ1+°À­¥¿¥¤¥×2=°À­ÃÍ2...
    CN=User1+serialNumber=123
    Google¤È¤«¤Ç¡ÖMulti-valued RDN¡×¤Ç¸¡º÷¤¹¤ë¤È¤ï¤«¤ë¤È»×¤¦¤ó¤Ç¤¹¤¬¡¢±Ñ¸ì¤Ç¤Ï·ë¹½¤¢¤ë¤Î¤Ë¡¢ÆüËܸì¤Ç¿¨¤ì¤Æ¤¤¤ëµ­»ö¤Ã¤Æ¡¢¼«Ê¬¤Î¥Ö¥í¥°°Ê³°¤ß¤Ä¤«¤é¤Ê¤¤¤ß¤¿¤¤¤Ê¤ó¤Ç¤¹¤è¤Í¡£ º£Æü¤Ï¡¢ÀÛºî¤Î°Å¹æ¥é¥¤¥Ö¥é¥ê jsrsasign ¤ä OpenSSL ¤ò»È¤¤¤Ê¤¬¤é¡¢¾ÚÌÀ½ñ¼±ÊÌ̾¤ÎMulti-valued RDN¤ä¡¢¼±ÊÌ̾¤Ë¤Ä¤¤¤Æ·¡¤ê²¼¤²¤Æ¤ß¤¿¤¤¤Þ¤¹¡£

    ¥¨¥ó¥È¥ê¤È¼±ÊÌ̾

    LDAP¤ä¡¢¤½¤Î¸µ¤È¤Ê¤Ã¤Æ¤¤¤ëX.500¥Ç¥£¥ì¥¯¥È¥ê¥µ¡¼¥Ó¥¹¤Ç¤Ï¡Ö¥¨¥ó¥È¥ê¡×¤Î¥Ä¥ê¡¼¹½Â¤¤Ë¤è¤ê¾ðÊó¤ò´ÉÍý¤·¡¢Î㤨¤Ð²ñ¼Ò¡¢ÉôÌç¡¢¼Ò°÷¤Ï°Ê²¼¤Î¤è¤¦¤Ë´ÉÍý¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
    ¿Þ1
    LDAP¤Ç¤Ï¡¢¤¢¤ë¥¨¥ó¥È¥ê¤òÆÃÄꤹ¤ë¤¿¤á¤Ë¡Ö¡û¡ß¾¦»ö¡×¤Î¡ÖÁí̳Éô¡×¤Î¡Öº´Æ£Æóϯ¡×¤µ¤ó¤È¤¤¤¦ÆÃÄê¤Î»ÅÊý¤ò¤·¤Þ¤¹¡£¥¨¥ó¥È¥ê¤Î̾Á°¡¢¡ÖÁí̳Éô¡×¤ä¡Öº´Æ£Æóϯ¡×¤È¤¤¤¦Ãͤϡ¢Â°À­¥¿¥¤¥×¤È¤¤¤¦·¿¤ò¤Ä¤±¤ë¤³¤È¤¬¤Ç¤­¡¢ÁÈ¿¥Ì¾(O: Organization Name)¡¢Éô½ð̾(OU: Organizational Unit Name)¡¢°ìÈÌ̾(CN: Common Name)¤Ê¤É¤Î¥¿¥¤¥×¤¬¤¢¤ê¤Þ¤¹¡£
    ¿Þ2
    Î㤨¤Ð¡¢±Ä¶È¤ÎÎëÌÚ¤µ¤ó¤òÆÃÄꤹ¤ë¤È¤­¤Ë°ìÈÖ¾å¤Þ¤Ç¤Î¥¨¥ó¥È¥ê¤òé¤Ã¤Æ¡¢°Ê²¼¤Î¤è¤¦¤Ëɽ¸½¤·¤Þ¤¹¡£¤³¤ì¤ò¡Ö¼±ÊÌ̾(DN: Distinguished Name)¡×¤È¸Æ¤Ó¤Þ¤¹¡£¤³¤ì¤Ë¤è¤ê¾¤ÎÉô½ð¤ÎSuzuki¤µ¤ó¤È¤â¶èÊ̤Ǥ­¤Þ¤¹¡£

    CN=Suzuki,OU=Sales,O=MaruBatsu
    ¼±ÊÌ̾¤Î¤¦¤Á¡¢¡ÖOU=Sales¡×¤Î¤è¤¦¤Ë¥¨¥ó¥È¥ê¤Î´Ý¤ÎÃæ¤òÁêÂм±ÊÌ̾(RDN: Relative Distinguished Name)¤È¸Æ¤Ó¤Þ¤¹¡£

    ¤Þ¤¿¡¢¤³¤Î¥¨¥ó¥È¥ê¤Î¥Ä¥ê¡¼¹½Â¤¤òDIT(Directory Information Tree)¤È¸Æ¤Ó¤Þ¤¹¡£

    Muti-valued RDN¤È¤Ï¡©¤Ê¤¼É¬Íפ«¡©

    ¾åµ­¤ÇÀâÌÀ¤·¤¿¼±ÊÌ̾(DN)¤Ç¡¢Æ±¤¸±Ä¶ÈÉô¤ËÎëÌÚ²Ö»Ò¤µ¤ó¤¬Æó¿Í¤¤¤¿¤é¤É¤¦¤·¤Þ¤·¤ç¤¦¡£°ìÈÌ̾¤Ë¶èÊ̤¹¤ë¤¿¤á¤Î¿ô»ú¤òÄɲä·¤¿¤ê¡¢ÄɲäÎÃͤȤ·¤Æ¡¢¼Ò°÷ÈÖ¹æ¤ä¥á¡¼¥ë¥¢¥É¥ì¥¹¤Ç¶èÊ̤¹¤ë¤³¤È¤â¤Ç¤­¡¢¥¨¥ó¥È¥ê¤òÄɲ䷤ƤâÎɤ¤¤Î¤Ç¤¹¤¬¡¢¤É¤ì¤â¥¤¥Þ¥¤¥Á¡£
    ¿Þ3
    ¤½¤³¤Ç¡¢°ì¤Ä¤Î¥¨¥ó¥È¥ê¤ËÊ£¿ô¤ÎÃͤò¤Ä¤±¤Æ¼±Ê̤¹¤ë¤³¤È¤â¤Ç¤­¤Þ¤¹¡£¤³¤ì¤ò Multi-valued RDN¤È¸Æ¤ó¤Ç¤¤¤Þ¤¹¡£
    ¿Þ4
    ƱÀ­Æ±Ì¾¤Î¿Í¤Ï¿ʬ¤¤¤ë¤Ç¤·¤ç¤¦¤«¤é¡¢¼Ò°÷ÈÖ¹æ¤ä¥á¡¼¥ë¥¢¥É¥ì¥¹¤Ê¤É¾¤Î°ì°Õ¤Ê¤â¤Î¤ÈÁȤ߹ç¤ï¤»¤Æ´ÉÍý¤¹¤ë¤Î¤Ï¥¹¥Þ¡¼¥È¤Ê´ÉÍýÊýË¡¤À¤È»×¤¤¤Þ¤¹¤·¡¢°ìÉô¤Î¾¦ÍѤΥǥ£¥ì¥¯¥È¥ê¥µ¡¼¥Ð¡¼À½ÉʤǤϡ¢ÍøÍѼԿô¥Ù¡¼¥¹¤Ç¥é¥¤¥»¥ó¥¹²Ý¶â¤¹¤ë¤¿¤á¤Ë¡¢¥¨¥ó¥È¥ê¿ô¤ò»È¤¦¤â¤Î¤â¤¢¤ê¤Þ¤¹¤Î¤Ç¡¢Multi-valued RDN¤ò»È¤¦¤³¤È¤Ë¤è¤Ã¤Æ¥³¥¹¥Èºï¸º¤òÁÀ¤¦¤³¤È¤â¤Ç¤­¤Þ¤¹¡£¤¿¤À¡¢Multi-valued RDN¤Ï¡¢¤¹¤Ù¤Æ¤ÎÀ½ÉʤǻȤ¨¤ë¤È¤¤¤¦¤â¤Î¤Ç¤â¤Ê¤¤¤Î¤Ç(Î㤨¤Ð¡¢¤È¤¢¤ëÀ½ÉʤΥ¹¥Þ¡¼¥È¥«¡¼¥É¤È¤«802.1Xǧ¾Ú¤È¤«¤Ç¸å¤Ë¤Ê¤Ã¤ÆÌäÂê¤Ë¤Ê¤Ã¤¿¤³¤È¤¬¤¢¤ê¤Þ¤·¤¿¤è¤Í¡¢¡¢¡¢)ËÜÅö¤Ë»È¤Ã¤Æ¤·¤Þ¤Ã¤Æ¤è¤¤¤«¤É¤¦¤«¤Ï¡¢¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÈÁêÃ̤·¤Æ·è¤á¤ëɬÍפ¬¤¢¤ë¤Ç¤·¤ç¤¦¡£

    ¼±ÊÌ̾¤Îʸ»úÎóɽ¸½

    ¼±ÊÌ̾¤Îʸ»úÎóɽ¸½¤Ë¤Ï¤¶¤Ã¤¯¤ê2¤Ä¤Îɽ¸½¤¬¤¢¤ê¤Þ¤¹¡£

    CN=Matsuda Kenji,OU=Sales,O=MaruBatsu
    /O=MaruBatsu/OU=Sales/CN=Matsuda Kenji
    DIT¤Î¥Ä¥ê¡¼¹½Â¤¤Î²¼¤«¤é½ç¤Ë¥«¥ó¥Þ","¤Ç¤Ä¤Ê¤¤¤ÀÊýË¡¤È¡¢¾å¤«¤é½ç¤Ë¥¹¥é¥Ã¥·¥å"/"¤Ç¤Ä¤Ê¤°ÊýË¡¤Ç¤¹¡£

    ¥«¥ó¥Þ¤ÇµÕ½ç¤Ë¤Ä¤Ê¤°ÊýË¡¤ÏRFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names¤ä¸å·Ñ¤Î4514¤Çµ¬Äꤵ¤ì¤Æ¤¤¤Þ¤¹¡£LDAP¤Î¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥½¥Õ¥È¥¦¥§¥¢¤Ç¤Ï°ìÈÌŪ¤Ë»È¤ï¤ì¤Æ¤¤¤ëÊýË¡¤Ç¤¹¡£

    ¤â¤¦°ìÊý¤Î¡¢ÀèƬ¤Ë¥¹¥é¥Ã¥·¥å¤òÉÕ¤±¡¢¥¹¥é¥Ã¥·¥å¤ÇÀµ½ç¤Ç¤Ä¤Ê¤°ÊýË¡¤ÏOpenSSL compat¥Õ¥©¡¼¥Þ¥Ã¥È¤È¸Æ¤Ð¤ì¡¢OpenSSL¤Çɸ½àŪ¤Ë»È¤ï¤ì¤ë¤È¤È¤â¤Ë¡¢OpenSSL·Ï¤Î¥¦¥§¥Ö¥µ¡¼¥Ð¡¼¤Ç¤¢¤ëApache HTTP Server¡¢nginx¡¢lighttpd¤Ê¤É¤ÎÀßÄê¤Ê¤É¤Ç»È¤ï¤ì¤ëÊýË¡¤Ç¤¹¡£

    Multi-valued RDN¤Î¾ì¹ç¤Ë¤Ï¡¢¤É¤Á¤é¤Î·Á¼°¤Ç¤âÃͤò¥×¥é¥¹"+"µ­¹æ¤Ç¤Ä¤Ê¤¤¤Çɽ¸½¤·¤Þ¤¹¡£

    CN=Matsuda Kenji+emailAddress=matsu@mb.com,OU=Sales,O=MaruBatsu
    /O=MaruBatsu/OU=Sales/CN=Matsuda Kenji+emailAddress=matsu@mb.com
    ¥×¥é¥¹¤Ç·Ò¤¬¤ì¤¿ÃͤÎɽ¼¨½ç½ø¤Ë¤Ä¤¤¤Æ¤Ï¡¢Æä˷è¤Þ¤ê¤Ï̵¤¤¤Èǧ¼±¤·¤Æ¤ª¤ê¡¢°Ê²¼¤ÎMulti-valued RDN¤ÇCN¤ÈemailAddress¤Î¤É¤Á¤é¤òÀè¤Ë¤·¤Æ¤âÎɤ¤¤Ï¤º¤Ç¤¹¡£¤³¤ì¤¬¤É¤Î¤è¤¦¤ËASN.1¤Ç¥¨¥ó¥³¡¼¥É¤µ¤ì¤ë¤«¤Ï¸å¤Ç½Ò¤Ù¤Þ¤¹¡£
    CN=Matsuda Kenji+emailAddress=matsu@mb.com
    emailAddress=matsu@mb.com+CN=Matsuda Kenji

    ¼¡¤ËCN¤äOU¤Ê¤É¤Î°À­¥¿¥¤¥×¤Îʸ»úÎóɽ¸½¤Ç¤¹¤¬¡¢¤É¤Î¤è¤¦¤Ëɽµ­¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤¤¤È¤¤¤Ã¤¿¸·³Ê¤Êɸ½à¤Ï¤Ê¤¯¡¢¼ÂÁõ¤â¥Ð¥é¥Ð¥é¤Ç¤¢¤ë¤³¤È¤¬¤ï¤«¤Ã¤Æ¤¤¤Þ¤¹¡£8ǯÁ°¤ËXAdESĹ´ü½ð̾¤Ë´ØÏ¢¤·¤Æ¡¢¼±ÊÌ̾¤ÎÃæ¤Î°À­¥¿¥¤¥×¤Îɽµ­¤Î¼ÂÁõ¾õ¶·¤Ë¤Ä¤¤¤ÆÄ´ºº¤·¤Æ¤ª¤ê¡¢¤½¤Î»þ¤Ë¤Þ¤È¤á¤¿É½¤òºÆ·Ç¤·¤Þ¤¹¡£
    RFC2253¥Æ¥¹¥È1°À­¥¿¥¤¥×̾¤Î¥Æ¥¹¥È
    X.509¾ÚÌÀ½ñ¥×¥í¥Õ¥¡¥¤¥ë¤òÄê¤á¤¿RFC 5280¤Î4.1.2.4Àá ȯ¹Ô¼Ô̾(Issuer)¤Ç¤Ï¡¢¼±ÊÌ̾¤Î°À­¥¿¥¤¥×¤È¤·¤ÆÂбþ¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤(MUST)¥ê¥¹¥È¤È¡¢Âбþ¤¹¤Ù¤­(SHOULD)°À­¥¿¥¤¥×¤Î¥ê¥¹¥È¤¬·ÇºÜ¤µ¤ì¤Æ¤ª¤ê¡¢É½Ãæ¤Ç¤ÏMUST¤ò²«ÎС¢SHOULD¤ò²«¿§¡¢¤½¤Î¾¡¢¾ÚÌÀ½ñ¤Ç¼ÂºÝ¤Ë»È¤ï¤ì¤ë¤³¤È¤Î¤¢¤ë°À­¥¿¥¤¥×¤Î¥ê¥¹¥È¤òÇò¤È¤·¡¢.NET¤ä³Æ¼ïJava¥Ù¡¼¥¹¤Î°Å¹æ¥é¥¤¥Ö¥é¥ê¤Ç¤É¤Î¤è¤¦¤Ë°À­¥¿¥¤¥×¤¬É½µ­¤µ¤ì¤ë¤«¤ò¥Æ¥¹¥È¤·¤Þ¤·¤¿¡£É½¤ò¸«¤ì¤Ð¤ï¤«¤ë¤È¤ª¤ê¡¢·ë²Ì¤Ï¤«¤Ê¤ê¥Ð¥é¥Ð¥é¤Ç¤¹¡£¤Þ¤¿¡¢S/MIME¤Î¤¿¤á¤Ë»ÈÍѤµ¤ì¤ë»ö¤¬¤¢¤ê¡¢¼ÂºÝ¤Î¾ÚÌÀ½ñ¤Ç¤â¤«¤Ê¤ê´Þ¤Þ¤ì¤Æ¤¤¤ëemailAddress¤Î°À­¥¿¥¤¥×¤â¡¢É¸½à¤Ç¤Ï¼ÂÁõ¤òµá¤á¤Æ¤¤¤Ê¤¤¤¿¤á¤ËÂбþ¤Ë¤Ð¤é¤Ä¤­¤¬½Ð¤Æ¤¤¤ë¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    º£¡¢¸«Ä¾¤·¤Æ¤ß¤ë¤ÈÅö»þ¤Ï¤Ê¤«¤Ã¤¿EV¾ÚÌÀ½ñÍѤΰʲ¼¤Î°À­¥¿¥¤¥×¤â¡¢º£¤Ê¤é¥Æ¥¹¥È¤¹¤Ù¤­¤À¤Ã¤¿¤«¤Ê¤¡¤È»×¤¤¤Þ¤¹¡£

    • jurisdictionOfIncorporationL - Ë¡¿ÍÅÐÏ¿´É³íÃÏ(»ÔĮ¼)
    • jurisdictionOfIncorporationSP - Ë¡¿ÍÅÐÏ¿´É³íÃÏ(ÅÔÆ»Éܸ©)
    • jurisdictionOfIncorporationC - Ë¡¿ÍÅÐÏ¿´É³íÃÏ(¹ñ)

    ¤Þ¤¿¡¢ ¥«¥ó¥Þ¤Ä¤Ê¤®¤Î¼±ÊÌ̾ɽµ­¤Ç¤¢¤ëRFC 2253¤È¤½¤Î¸å·Ñ¤ÎRFC 4584¤Î°ã¤¤¤Ë¤Ä¤¤¤Æ8ǯÁ°¤Îµ­»ö ¤Ç¤Þ¤È¤á¤Æ¤ª¤ê¡¢»ÅÍͤβþÄê¤Ë¤è¤Ã¤Æ¡¢¤è¤ê¼±ÊÌ̾ɽµ­¤¬°ì°Õ¤Ë¤Ê¤ëÊý¸þ¤Ë½¤Àµ¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢ »ÅÍͤÎÃæ¤Ç¡ÖRFC 4514¤Ï¼±ÊÌ̾ʸ»úÎó¤Ï°ì°Õ¤Ë¤Ê¤é¤Ê¤¤(=Àµµ¬²½¤·¤Ê¤¤)¡×¤È¤¤¤¦ »ö¤¬ÌÀµ­¤µ¤ì¤Æ¤ª¤ê¡¢¼±ÊÌ̾ʸ»úÎó¤Ï¡¢ÍÍ¡¹¤Êɽ¸½¤¬µö¤µ¤ì¤Æ¤ª¤ê¡¢ ñ½ã¤Êʸ»úÎóÈæ³Ó¤Ç¤ÏƱ¤¸¤Ç¤¢¤ë¤«¤É¤¦¤«¤òȽÃǤǤ­¤Ê¤¤»ö¤ËÃí°Õ¤·¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£

    ¼±ÊÌ̾¤ÎASN.1ÄêµÁ¤È¹½Â¤

    ¼¡¤Ë¡¢¼±ÊÌ̾¤¬¡¢ASN.1 DER¥¨¥ó¥³¡¼¥Ç¥£¥ó¥°¤Ë¤è¤ê¡¢¤É¤Î¤è¤¦¤Ë¥Ð¥¤¥ÈÎó¤Ë¥¨¥ó¥³¡¼¥É¤µ¤ì¤ë¤Î¤«¤ò¡¢ ÀâÌÀ¤·¤¿¤¤¤È»×¤¤¤Þ¤¹¡£¤Þ¤ººÇ½é¤Ë¡¢¼±ÊÌ̾¤ÎASN.1ÄêµÁ¤ò¾Ò²ð¤·¤Þ¤·¤ç¤¦¡£ RFC 5280 4.1.2.4 Issuer¤è¤ê

    // X.500̾¡¢¼±ÊÌ̾(DN)¤ÏRDN¤ÎʤÓ(SEQUENCE) Name ::= CHOICE { rdnSequence RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName // RDN¤Ï¡¢AttributeTypeAndValue 1¤Ä°Ê¾å¤ÎSET // ¤Ä¤Þ¤ê¡¢Ê£¿ôAttributeTypeAndValue¤¬¤¢¤Ã¤Æ¤â¤è¤¤¡£ // ¤³¤ì¤¬Ê£¿ô¤¢¤ì¤Ð Multi-valued RDN RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue // °À­¥¿¥¤¥×¤È°À­ÃͤΥڥ¢ AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY // °À­ÃͤÏANY¤ÈÄêµÁ¤·¤Æ¤¤¤Ê¤¬¤é¤â¡¢DirectoryString¤Ç // ÄêµÁ¤µ¤ì¤¿¤¤¤º¤ì¤«¤Îʸ»ú¥¿¥¤¥×¤ò»ÈÍѤ¹¤ë DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) }
    ¤Ä¤Þ¤ê¡¢
    • ¼±ÊÌ̾(DN)¤Ï¡¢ÁêÂм±ÊÌ̾(RDN)¤ÎʤÓ(SEQUENCE OF)¤Ç¤¢¤ê
    • ÁêÂм±ÊÌ̾(RDN)¤Ï¡¢Â°À­¥¿¥¤¥×¤ÈÃÍ(AttributeTypeAndValue)¤Î½¸¹ç(SET OF)¤Ç¤¢¤ê
    • °À­¥¿¥¤¥×¤ÈÃÍ(AttributeTypeAndValue)¤Ï¡¢Â°À­¥¿¥¤¥×¤ÈÃͤÎʤÓ(SEQUENCE)¤Ç¤¢¤ë
    ¤È¤¤¤¦»ö¤Ç¤¹¡£SEQUENCE¤ÈSET¤Ï¹½Â¤·¿¤È¸Æ¤Ð¤ì¤ëASN.1¥×¥ê¥ß¥Æ¥£¥Ö¤Ç¤¹¤¬¡¢
    • SEQUENCE¤ÏÇÛÎó¤Î¤è¤¦¤Ê¤â¤Î¤Ç¡¢½ç½ø´Ø·¸¤Î¤¢¤ëʤӤòɽ¤¹ºÝ¤Ë»È¤¤¤Þ¤¹¡£
    • SET¤Ï½¸¹ç¤Î¤è¤¦¤Ê¤â¤Î¤Ç¡¢¹½À®Í×ÁǤÎÃæ¤Ë¤ÏÆä˽ç½ø´Ø·¸¤Ï¤Ê¤¤¾ì¹ç¤Ë»È¤¤¤Þ¤¹¡£
    ¤Ä¤¤¤Ç¤Ë¡¢SEQUENCE¤äSET¤È¡¢SEQUENCE OF ¡Á¡¢SET OF ¡Á¤Î°ã¤¤¤Ç¤¹¤¬¡¢
    • ñ¤ËSEQUENCE¤äSET¤È¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¤Ë¤Ï¡¢¹½À®Í×ÁǤÎASN.1¥¯¥é¥¹¤¬°Û¤Ê¤ë¾ì¹ç¤Ë »È¤¤¤Þ¤¹¡£¾å¤ÎÎã¤Ç¤ÏAttributeTypeAndValue¤¬¤½¤ì¤ËÅö¤¿¤ê¤Þ¤¹¡£
    • SEQUENCE OF¡¢SET OF¤È¤·¤¿¾ì¹ç¡¢¹½À®Í×ÁǤÎASN.1¥¯¥é¥¹¤¬Æ±¤¸·¿¤Î¾ì¹ç¤Ë »È¤¤¤Þ¤¹¡£¾å¤ÎÎã¤Ç¤Ï¡¢Name¤äRDN¤¬¤½¤ì¤ËÅö¤¿¤ê¤Þ¤¹¡£

    ¤½¤ì¤Ç¤Ï¡¢Îã¤È¤·¤Æ°Ê²¼¤Î¼±ÊÌ̾¤òASN.1 DER¥¨¥ó¥³¡¼¥Ç¥£¥ó¥°¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£

    CN=aaa,O=TEST,C=JP
    RFC 2253¤Î¾ì¹ç¤Ë¤Ï¡¢µÕ½ç¤ÇRDN¤¬Ê¤֤Τǡ¢°Ê²¼¤Î¤è¤¦¤Ë¥¨¥ó¥³¡¼¥É¤µ¤ì¤Þ¤¹¡£
    302A SEQUENCE(30) OF -- DN 310B SET(31) OF -- RDN[1] 3009 SEQUENCE(30) -- AttributeTypeAndValue 0603550406 ObjectIdentifier(06) countryName 13024A50 PrintableString(13) "JP" 310D SET(31) OF -- RDN[2] 300B SEQUENCE(30) -- AttributeTypeAndValue 060355040A ObjectIdentifier(06) organizationName 0C0454455354 UTF8String(0C) "TEST" 310C SET(31) OF -- RDN[3] 300A SEQUENCE(30) -- AttributeTypeAndValue 0603550403 ObjectIdentifier(06) commonName 0C03616161 UTF8String(0C) "aaa"
    ASN.1¥Ç¡¼¥¿¤Ï¥Ç¡¼¥¿·¿¤òɽ¤¹¥¿¥°¡¢¥Ð¥¤¥ÈĹ¡¢Ãͥǡ¼¥¿¤è¤ê¹½À®¤µ¤ì¡¢¾å¤ÎÎã¤ÎºÇ¸å¤Î¹Ô¤Ç¤Ï¡¢0C¤¬UTF8String·¿¡¢03¤¬¥Ð¥¤¥ÈĹ(=3)¡¢616161(=aaa)¤¬Ãͤòɽ¤·¤Æ¤¤¤Þ¤¹¡£

    ¤µ¤Æ¡¢¼¡¤ËMulti-valued RDN¤Î¾ì¹ç¤Ë¤Ï¤É¤Î¤è¤¦¤Ë¥¨¥ó¥³¡¼¥É¤µ¤ì¤ë¤Î¤«¡¢²¼¤ÎÎã¤ò¸µ¤Ë¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£¤³¤³¤Ç¤Ï¡¢CN=aaa¤ÈCN=a¤Î2¤Ä¤ÎAttributeTypeAndValue¤¬»ÈÍѤµ¤ì¤Æ¤¤¤Þ¤¹¡£

    CN=aaa+CN=a,O=TEST,C=JP
    ¤³¤ì¤òASN.1 DER¥¨¥ó¥³¡¼¥Ç¥£¥ó¥°¤¹¤ë¤È°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£ºÇ¸å¤ÎRDN¤ËÃíÌܤ·¤Æ¤¯¤À¤µ¤¤¡£CN=a¤ÈCN=aaa¤ÈÆó¤Ä¤ÎAttributeTypeAndValues¤¬¤¢¤ë¤³¤È¤¬³Îǧ¤Ç¤­¤Þ¤¹¡£¤Þ¤¿¡¢¤Þ¤¿¡¢CN=a¤ÈCN=aaa¤Ç¤Ï¡¢É¬¤ºCN=a¤¬Àè¤ËÍè¤ë¤³¤È¤Ë¤âÃíÌܤǤ¹¡£
    3034 DN 310B RDN[1] C=JP 3009 0603550406 13024A50 310D RDN[2] O=TEST 300B 060355040A 0C0454455354 3116 RDN[3] CN=aaa+CN=a SEQUENCE(30)¤¬2¤Ä¤¢¤ë 3008 ATV[1] CN=a CN=a¤ÎÊý¤¬Àè¤ËÍè¤Æ¤¤¤ë 0603550403 0C0161 300A ATV[2] CN=aaa 0603550403 0C03616161
    ¤³¤ÎRDNÃæ¤ÎCN=a¡¢CN=aaa¤Î½ç½ø´Ø·¸¤Ë¤ÏASN.1 DER¤ÈBER¤Î¤Á¤ç¤Ã¤È¤·¤¿°ã¤¤¤¬´Ø·¸¤¬¤¢¤ê¤Þ¤¹¡£DER¤ÏBER¤Î¥µ¥Ö¥»¥Ã¥È¤Ç¤Ê¤ó¤Ç¤¹¤¬¡¢BER¤Ç¤ÏÊ£¿ô¤Îɽ¸½¤¬µö¤µ¤ì¤ë¤Î¤ËÂФ·¡¢DER¤Ç¤Ïɬ¤º°ì°Õ¤Êɽ¸½¤Ë¤Ê¤ê¤Þ¤¹¡£¤½¤Î°ã¤¤¤òɽ¤Ë¤Þ¤È¤á¤Þ¤·¤¿¡£
    ASN.1 DERASN.1 BER
    ³µÍ×ASN.1¤Î°ì°Õ¤Ê¥¨¥ó¥³¡¼¥Éµ¬Â§ASN.1¤Î¥¨¥ó¥³¡¼¥Éµ¬Â§¡£DER¤Î¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤ÇDER¤Ç¤¢¤ì¤ÐBER
    ¶¦Ä̤ÎÆÃħÄÌ¿®¤ÎÀ¤³¦¤Ç¤ÏŤ¤Îò»Ë¤Î¤¢¤ë¡¢CPU¤äÀ°¿ô·¿¤Î¥µ¥¤¥º¤ËÀ©¸Â¤µ¤ì¤Ê¤¤¡¢µðÂç¤Ê¥Ç¡¼¥¿¤â°·¤¨¤ë¡¢Ç¤°Õ¤Î¹½Â¤²½¥Ç¡¼¥¿¤ò°·¤¨¤ë¥Ç¡¼¥¿É½¸½¡£XML, JSON¤ËÈæ¤Ù¥³¥ó¥Ñ¥¯¥È¡£
    ÍÑÅÓ¾ÚÌÀ½ñ¡¢CRL¡¢OCSP¡¢RFC3161¥¿¥¤¥à¥¹¥¿¥ó¥×S/MIME¥Ç¡¼¥¿¡¢CMS½ð̾¡¦°Å¹æ²½¥Ç¡¼¥¿¡¢PKCS#12
    Èæ³Óɬ¤ºÉ½¸½¤Ï°ì°Õ¡£Ä¶µðÂç¤Ê¥Ç¡¼¥¿¤Ç¤âŤµ¤¬Í½¤á¤ï¤«¤Ã¤Æ¤¤¤Ê¤¤¤È¤¤¤±¤Ê¤¤¤Î¤Ç¡¢¥¹¥È¥ê¡¼¥à½èÍý¤Ê¤ÉÉÔ¸þ¤­Ê£¿ô¤Îɽ¸½¤¬¤¢¤ë¡£Ä¶Â礭¤Ê¥Ç¡¼¥¿¤Ç¤â¼è¤ê°·¤¤²Äǽ
    SETÍ×ÁǤΥХ¤¥ÈÎó¤Ç¾º½ç¥½¡¼¥È¤¹¤ë¥½¡¼¥È¤·¤Ê¤¯¤ÆÎɤ¤
    BOOLEANTRUE¤Î¤ß»È¤¨¡¢FALSE¤Ï¾Êά¤¹¤ë¤è¤¦¥¯¥é¥¹ÄêµÁTRUE¡¢FALSE¤¬»È¤¨¤ë
    ÉÔÄêĹɽ¸½Ä¹¤µÉ½¸½¤Ï°ì°Õ¤Ç¡¢Í½¤á¥Ç¡¼¥¿¥µ¥¤¥º¤¬¤ï¤«¤Ã¤Æ¤¤¤Ê¤¤¤È¤¤¤±¤Ê¤¤¡£Ä¹¤µÉ½¸½¤ÇÉÔÄêĹɽ¸½¤¬»È¤¨¡¢Ä¹¤µ¤ò8000¤È¤·¤¿¾ì¹ç¤½¤ì¤Ï³«»Ïµ­¹æ¤Ç0000¤¬Â³¤¯¤Þ¤Ç°ì¤Ä¤ÎÍ×ÁǤǤ¢¤ê¡¢Â礭¤Ê¥Ç¡¼¥¿¤â°·¤¤¤ä¤¹¤¤¡£
    °Ê¾å¤Î¤è¤¦¤Ê°ã¤¤¤¬¤¢¤ê¡¢SET¤Î°ã¤¤¤Ë¤è¤êMulti-valued RDN¤ÎSET OF¤Î½ç½ø¤¬·è¤Þ¤Ã¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¡£

    SET¤ÎÍ×ÁǤϡ¢³ÆÍ×ÁǤòASN.1¥¨¥ó¥³¡¼¥É¤·¤¿¤È¤­¤Î¾º½ç¤Î¼­½ñ½ç¤Ç¥½¡¼¥È¤µ¤ì¡¢¤¶¤Ã¤¯¤ê¸À¤¨¤Ð¡¢

    • Í×ÁǤÎû¤¤ÊªÄøÀè
    • Ʊ¤¸Ä¹¤µ¤Ê¤é°À­¥¿¥¤¥×¤ÎŤµ¤¬Ã»¤¤Êý¤¬Àè
    ¤È¤¤¤¦¤³¤È¤Ë¤Ê¤ê¤Þ¤¹¡£Îã¤Ç¤ß¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    3008 0603550403 0C0161 CN=a 300A 0603550403 0C03616161 CN=aaa ^^ Á´ÂΤÎŤµL¤¬08, 0A¤Î½ç¤Ë¤Ê¤ë¤Î¤ÇƱ¤¸Â°À­¥¿¥¤¥×Ĺ¤Ê¤é°À­ÃͤÎû¤¤Êý¤¬Àè C,O,OU,CN¤Ê¤É¼çÍפÊ°À­¥¿¥¤¥×¤ÏOID¤ÎÃͤ¬2.5.4.x¤Ë¤Ê¤ë¤Î¤ÇƱ°ì°À­¥¿¥¤¥×Ĺ
    Á´ÂΤÎŤµ¤¬Æ±¤¸»þ¡¢
    ^^ Á´ÂΤÎŤµ¤ÏƱ¤¸¤Ê¤é 3011 0603550403 0C0A6162636465666768696A CN=abcdefghij 3011 060B2B0601040182373C020103 0C024A50 jurisdictionOfIncorporateC=JP ^^ °À­¥¿¥¤¥×¤ÎÃͤÎû¤¤Êý¤¬Àè

    OpenSSL¤ÎMulti-valued RDNÂбþ

    OpenSSL¤ÏMULTI-valued RDN¤ËÂбþ¤·¤Æ¤ª¤ê¡¢"-multivalue-rdn"¤ò¤Ä¤±¤ë¤À¤±¤Ç¤¹¡£ Î㤨¤Ð¡¢´û¸¤ÎÈëÌ©¸°¤Ç¥ï¥ó¥é¥¤¥Ê¡¼¤ÇMulti-valued RDN¤Î¼«¸Ê½ð̾¾ÚÌÀ½ñ¤òºî¤ê¤¿¤¤»þ

    openssl genrsa 2048 > a.prv
    openssl req -new -key a.prv -x509 -subj /C=JP/O=Test/OU=b+CN=a -out c.cer -multivalue-rdn
    Multi-valued RDN¤Î¾ÚÌÀ½ñȯ¹ÔÍ×µá¤òºî¤ê¤¿¤¤¤È¤­
    openssl req -new -key a.prv -subj /C=JP/O=Test/OU=b+CN=a -out c.csr -multivalue-rdn
    ¤È¤Ê¤ê¤Þ¤¹¡£

    jsrsasign¤ÎMulti-valued RDNÂбþ

    jsrsasign¤Ï¡¢»ä¤¬¼ñÌ£¤Çºî¤Ã¤¿Pure JavaScript¤Ë¤è¤ë°Å¹æ¥é¥¤¥Ö¥é¥ê¤Ç¤·¤Æ¡¢2010ǯ¤°¤é¤¤¤«¤é¥Ü¥Á¥Ü¥Á²Ë¤ò¸«¤Ä¤±¤Æ¤ÏºòÆü¤òÄɲ䷤Ƥª¤ê¡¢ºÇ½é¤ÏRSA½ð̾¤À¤±¤À¤Ã¤¿¤â¤Î¤¬¡¢ASN.1¤ä¾ÚÌÀ½ñ¤ä¥¿¥¤¥à¥¹¥¿¥ó¥×¤äJOSE¤Ê¤ó¤«¡¢¼«Ê¬¤¬¡ÖÍߤ·¤¤¤Ê¡×¤È»×¤Ã¤¿»þ¤ËÁýÃÛ¤ò·«¤êÊÖ¤·¤Æ¤ª¤ê¡¢PKI¤äASN.1¤äJOSE(JWS,JWT,JWK)´Ø·¸¤Ç¤Á¤ç¤Ã¤È»î¤·¤¿¤¤¤Ê¤È»×¤Ã¤¿»þ¤Ë½ÅÊõ¤·¤Æ¤¤¤Þ¤¹¡£

    ¥¦¥§¥Ö¥Ö¥é¥¦¥¶¾å¤Ç¤â¡¢Node¤Ç¤â»È¤¨¡¢API¥É¥­¥å¥á¥ó¥È¤ä¥µ¥ó¥×¥ë¤â½¼¼Â¤µ¤»¤Æ¤¤¤ë¤Î¤Ç¡¢·ë¹½¥æ¡¼¥¶¤ÏÀ¤³¦Ãæ¤Ë¤¤¤¿¤ê¡¢ºÇ¶á¤ÏSONY¤ä²£²Ï(¤ä¾¡¼ê¤Ë¤¦¤Á¤Î²ñ¼Ò¡Ê¡°¡°¡¨)¤Î¥Ï¡¼¥É¥¦¥§¥¢¾¦ÉʤǤâ»È¤ï¤ì¤Æ¤¤¤ë¤³¤È¤¬È¯³Ð¤·¤¿¤ê¡¢Node¤Înpm¥Ñ¥Ã¥±¡¼¥¸¤Ï·î´Ö10Ëü¼å¤Î¥À¥¦¥ó¥í¡¼¥É¤¬¤¢¤ë¤è¤¦¤Ç¡¢¥Û¥ó¥È¤¢¤ê¤¬¤¿¤¤ÏäǤ¹¡£

    JavaScript¤Î°Å¹æ¥é¥¤¥Ö¥é¥ê¤ÎAPI¤È¤·¤Æ¤Ï¡¢W3C Web Crypto API¤Ê¤É¤¢¤ë¤ó¤Ç¤¹¤¬¡¢¥â¥Ð¥¤¥ë¥Ö¥é¥¦¥¶¤Ç¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤Ê¤¤¥±¡¼¥¹¤¬¤¢¤Ã¤¿¤ê¡¢¸Å¤¤°Å¹æ¤¬»È¤¨¤Ê¤«¤Ã¤¿¤ê¡¢¤Á¤ç¤Ã¤È½ñ¤³¤¦¤È»×¤Ã¤Æ¤â²¿¹Ô¤â½ñ¤«¤Ê¤±¤ì¤Ð¤¤¤±¤Ê¤«¤Ã¤¿¤ê¡¢ÌÌÅݤ¯¤µ¤¤¤ó¤Ç¤¹¤è¤Í¡£¤½¤³¤Ç¡¢jsrsasign¤Ç¤Ï¡¢¡Ö¤Ê¤ë¤Ù¤¯¾¯¤Ê¤¤¹Ô¿ô¤Ç¤ä¤ê¤¿¤¤»ö¤¬¤Ç¤­¤ë¡×¤Ã¤Æ¤¤¤¦¤Î¤òÌÜɸ¤Ë¤·¤Æ¤¤¤Æ¡¢Î㤨¤Ð¸°¤Ê¤ó¤«¤ÏÈëÌ©¸°¤Ç¤â¸ø³«¸°¤Ç¤âPKCS#5¤Ç¤âPKCS#8¤Ç¤âJSON Web Key¤Ç¤â¤Ê¤ó¤Ç¤âKEYUTIL.getKey¤ËÅϤ·¤Æ¤·¤Þ¤¨¤ÐŬÅö¤Ë½èÍý¤·¤Þ¤¹¡£¤Þ¤¿¡¢PC¤Ç¤â¥¹¥Þ¥Û¤Ç¤âNode¤Ç¤â¡¢Â¿¾¯¸Å¤¤´Ä¶­¤Ç¤âJavaScript¤µ¤¨Æ°¤±¤Ð»È¤¨¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£¤Þ¤¿¡¢API¥É¥­¥å¥á¥ó¥È¤ä¥Á¥å¡¼¥È¥ê¥¢¥ë¤Î»ñÎÁ¤â¤Ç¤­¤ë¸Â¤ê½áÂô¤ËÍÑ°Õ¤·¤¿¤Ä¤â¤ê¤Ç¤¹¡£

    ³ä¤ÈºÇ¿·¤ÎÏäޤÇÆþ¤Ã¤Æ¤¤¤ë±Ñ¸ì¤ÎÆþÌ祹¥é¥¤¥É¤¬¤¢¤Ã¤¿¤ê¡¢
    slidee
    ¤Þ¤¿¤Á¤ç¤Ã¤È¸Å¤¤¤Ç¤¹¤¬¡¢2013ǯ¤ËJNSA¤ÎWG¤Ç¤ªÏä·¤¿jsrsasign¤Èjsjws¤¬Ê̤γ«È¯¥é¥¤¥ó¤À¤Ã¤¿»þ¤ÎÆþÌ祹¥é¥¤¥É ¤¬¤¢¤ë¤Î¤Ç¤è¤«¤Ã¤¿¤é»²¹Í¤Ë¤·¤Æ¤¯¤À¤µ¤¤¡£
    slidej

    ¥É¥­¥å¥á¥ó¥ÈÎà¤ÏÀÛ¤¤±Ñ¸ì¤Î¤â¤Î¤·¤«¤Ê¤¯¤Æ¿½¤·Ìõ¤Ê¤¤¤Ç¤¹¤¬¡¢ÌäÂê¤È¤«¤¢¤ì¤Ð¡¢Issue¤Ë¤ÏÆüËܸì¤ÇÆþ¤ì¤Æ夤¤Æ¹½¤ï¤Ê¤¤¤Î¤ÇÆþ¤ì¤Æ失¤ì¤Ð¤È»×¤¤¤Þ¤¹¡£

    ¤Ç¡¢jsrsasign¤òMulti-valued RDNÂбþ¤µ¤»¤¿¤ê¡¢¥«¥ó¥Þ·Ò¤®DNÂбþ¤·¤¿¤¤¤Ê¤È»×¤Ã¤Æ¤¤¤Æ¡¢¤è¤¦¤ä¤¯6.2.2¤ò¥ê¥ê¡¼¥¹¤·¤¿ºÇ¶á¤Ë¤Ê¤Ã¤Æ¤«¤éÂбþ¤µ¤»¤Þ¤·¤¿¡£ Î㤨¤Ð¡¢Multi-valued RDN¤Î¼±ÊÌ̾¤¬¤É¤Î¤è¤¦¤ËASN.1 DER¥¨¥ó¥³¡¼¥É¤µ¤ì¤ë¤Î¤«¤Ê¤ó¤ÆÏäϡ¢¼¡¤Î¤è¤¦¤Ë³Îǧ¤Ç¤­¤Þ¤¹¡£

    % node > var X509Name = require("jsrsasign").KJUR.asn1.x509.X500Name; > new X509Name({str: "/C=JP/O=T1+CN=kjur"}).getEncodedHex(); '3027310b3009060355040613024a5031183009060355040a0c025431300b06035504030c046b6a7572'
    ¤¢¤È¤Ï¡¢¾ÚÌÀ½ñȯ¹ÔÍ×µá(CSR)¤òºî¤Ã¤¿¤ê¡¢
    var rs = require("jsrsasign"); var kp = rs.KEYUTIL.generateKeypair("RSA", 2048); pem = rs.KJUR.asn1.csr.CSRUtil.newCSRPEM({ subject: {ldapstr: 'OU=T1+CN=example.com,O=Test,C=US'}, ext: [ {subjectAltName: {array: [{dns: 'example.net'}]} ], sbjpubkey: pubKeyPEM, sigalg: "SHA256withRSA", sbjprvkey: prvKeyPEM });
    ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤¿¤ê¤¹¤ë»þ¤Ë¤âMulti-valued RDN¤¬»È¤¨¤Þ¤¹¡£
    var pem = KJUR.asn1.x509.X509Util.newCertPEM({ serial: {int: 4}, sigalg: {name: 'SHA1withRSA', paramempty: true}, issuer: {str: '/C=US/O=a'}, notbefore: {str: '130504235959Z'}, notafter: {str: '140504235959Z'}, subject: {ldapstr: 'OU=kjur+CN=kjur,O=b,C=US'}, sbjpubkey: kp.pubKeyObj, ext: [ {basicConstraints: {cA: true, critical: true}}, {keyUsage: {bin: '11'}}, ], cakey: kp.pubKeyObj });
    ³ä¤ÈÍ»Ä̤¬Íø¤¯¤Î¤Ç¡¢¤è¤«¤Ã¤¿¤é»È¤Ã¤Æ¤ä¤Ã¤Æ¤¯¤À¤µ¤¤¡£

    ¤ª¤ï¤ê¤Ë

    ¤È¤¤¤¦¤ï¤±¤ÇĹ¡¹¡¢Multi-valued RDN¤ä¼±ÊÌ̾(DN)¤Î¤³¤È¤Ç¥À¥é¥À¥é½ñ¤¤¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£¤´¤á¤ó¤Ê¤µ¤¤¡£Ã¯¤«¤Î»²¹Í¤Ë¤Ê¤ì¤ÐÎɤ¤¤«¤Ê¡¢¤È»×¤¤¤Þ¤¹¡£

    Äɵ­(2016.12.19)

    ¤¢¤Ã¡¢¸í²ò¤µ¤ì¤Ê¤¤¤è¤¦¤Ë½ñ¤¤¤Æ¤ª¤­¤Þ¤¹¤È¡¢»ä¤È¤·¤Æ¤Ï¡¢Multi-valued RDN¤ò¹­¤á¤¿¤¤¤È¤«¡¢»È¤¦¤Ù¤­¤À¤È¤«¸À¤¦¤Ä¤â¤ê¤ÏÌÓƬ¤¢¤ê¤Þ¤»¤ó¡£Áê¸ß±¿ÍÑÀ­¤¬¹â¤¤Êý¸þ¤Ç¥¤¥ó¥Õ¥éÀ߷פ¹¤ë¤Î¤¬¸¶Â§¤Ç¤¢¤ê¡¢»È¤ï¤Ê¤¯¤ÆºÑ¤à¤Ê¤é»È¤ï¤Ê¤¤Êý¤¬¤¤¤¤¤Ç¤·¤ç¤¦¡£¤¿¤À¡¢¼õ¤±¼è¤Ã¤¿¤È¤·¤Æ¤â¡¢¤Ó¤Ã¤¯¤ê¤·¤Ê¤¤¤Ç¤Í¡¢¤È¡¢¡¢¡¢¡¢£÷

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ12·îÈÇ)

    ¤¤¤ä¤¡¡¢Ç¯¤ÎÀ¥¤Ç¤¹¤Í¤§¡£ºÇ¶á¡¢SSL/TLS´ØÏ¢¤ÎÄ´ºº¤ËÁ´¤¯»þ´Ö¤¬¼è¤ì¤Æ¤Ê¤¤¤Ã¤¹¡£ SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 10·î¤Ë°ú¤­Â³¤­2015ǯ12·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤¬Áᤫ¤Ã¤¿¤Ã¤Ý¤¤¤Ç¤¹¤¬¡¢µ¤¤Å¤¯¤Î¤ËÃÙ¤ì¤Þ¤·¤¿¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201512-a1vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201512-a2proto

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201512-a3crt

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201512-a4adv
    SPDY¤¬²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£HTTP/2¤Ø¤Î°Ü¹Ô¤¬»Ï¤Þ¤Ã¤Æ¤¤¤Þ¤¹¡£¼Â¤ÏSSL Pulse¤ÇHTTP/2¤ÎÂбþ¾õ¶·¤â4¥ö·îÁ°¤¢¤¿¤ê¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ç¡¢¤½¤í¤½¤í²Ä»ë²½¤·¤¿¤¤¤È»×¤Ã¤Æ¤¤¤Þ¤¹¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a5kx

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a6dh
    DH¸°¸ò´¹¤Î¥µ¥Ý¡¼¥ÈΨ¤Ï¡¢¤Û¤Ü²£¤Ð¤¤¤Ç¤¢¤ë¤Î¤ËÂФ·¤Æ¡¢

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201512-a7ecdh
    ECDH(E)¤Ø¤ÎÂбþ¤Ï¿Ê¤ó¤Ç¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ǯËö¿Ê¹Ô¤Ç¡¢¤½¤ó¤Ê¤ËÆݤߤ˹ԤäƤ¤¤ëµ¤¤â¤·¤Þ¤»¤ó¤¬¡¢¤Ê¤ó¤«»Å»ö¤¬»³ÀѤߤǤ¹orz ¥³¥á¥ó¥È¾¯¤Ê¤á¤Ç¤¹¤ß¤Þ¤»¤ó¡£º£·î¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ10·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 8·î¤Ë°ú¤­Â³¤­2015ǯ10·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£ º£·î¤Ï¡¢¤Ê¤«¤Ê¤«¥Ç¡¼¥¿¸ø³«¤·¤Æ¤¯¤ì¤Ê¤¯¤Æ¡¢³Î¤«10·î19Æüº¢¤è¤¦¤ä¤¯¥¢¥Ã¥×¥Ç¡¼¥È¤µ¤ì¤¿¤è¤¦¤Ç¤¹¡£¿·¤·¤¤¹àÌÜÁý¤¨¤Æ¤¤¤ë¤ï¤±¤Ç¤â¤Ê¤¤¤Î¤Ë¡¢¤Ê¤ó¤Ç¤Ç¤·¤ç¤¦¤Í¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201510vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë·Ñ³¤·¤Æ²¼¤¬¤Ã¤Æ¤ª¤ê¡¢º£·î¤Ç¤Ï53%¤Î¥µ¥¤¥È¤·¤«»È¤¨¤Ê¤¯¤Ê¤ê¤Þ¤·¤¿¡£ ¤Þ¤¿¡¢ECDHE¤äDHE¤Î¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤¹¤ëPFS¤ËÂбþ¤·¤¿¥µ¥¤¥È¤Ï71.5%¤Ë¤Þ¤Ç¾å¤¬¤Ã¤Æ¤ª¤ê¡¢¤«¤Ê¤ê¤Î¥µ¡¼¥Ð¡¼¤Ç»È¤¨¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Þ¤·¤¿¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201510proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤¬»È¤¨¤ë¥µ¥¤¥È¤¬32.5%¤Ë¤Þ¤Ç²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201510crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬24.1%¡¢SHA256withRSA¤¬74.9%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£¤¢¤È»Ä¤ê1/4¤Ë¤Ê¤ê¤Þ¤·¤¿¤Í¡Á¡Á¡Á¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201510adv
    HSTS¤â¡¢OCSP Stapling¤â¡¢EV¤â½ù¡¹¤Ë¾å¤¬¤Ã¤Æ¤¤¤Þ¤¹¤¬¡¢Á´¤¯Â礷¤¿¤³¤È¤Ê¤¤¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤ë¤è¤¦¤Ç¤¹¤¬¡¢¡¢¡¢

    DH(E)¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510dh
    DH¸°¸ò´¹¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¥µ¥¤¥È¤¬48.2%¤â¤¢¤ê¡¢°Å¹æ¶¯ÅÙ¤¬½½Ê¬¤Ç¤Ê¤¤DH1024bit¤â¸º¤Ã¤Æ¤Ï¤¤¤ë¤â¤Î¤Î¡¢28.9%¤â¤¢¤ê¡¢¤¤¤í¤ó¤Ê°Õ¸«¤Ï¤¢¤ë¤Ç¤·¤ç¤¦¤¬¡¢DH(E)¤Ï»È¤ï¤º¤ËECDH(E)¤ò»È¤¦¤Î¤¬Îɤ¤¤Î¤Ç¤Ï¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201510ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬34.2%¤Ë¤Þ¤Ç¸º¤ê¡¢ECC 256bit¤ò»È¤¨¤ë¥µ¥¤¥È¤¬61.9%¤Ë¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£¤«¤Ê¤êÉáµÚ¤·¤Æ¤­¤¿¤È¤¤¤¦´¶¤¬¤¢¤ê¡¢¡Ö²¿¤â¹Í¤¨¤º¤Ë¤È¤ê¤¢¤¨¤ºECDHE»È¤¨¤ë¤è¤¦¤Ë¤·¤È¤±¡ª¡×¤È»×¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    ¹Ö±é»ñÎÁ2Ëܺî¤é¤Ê¤¤¤È¥Þ¥¸¤Ç¤ä¤Ð¤¹¡£º£Æü¤Ï¤³¤ÎÊդǡ£

    ´ØÏ¢µ­»ö

    Deep Inside Certificate Transparency (¤½¤Î1)

    Certificate Transparency(°Ê²¼CT)¤Ë¤Ï¿§¡¹ÌäÂ꤬¤¢¤Ã¤Æ²¿¤À¤«¤Ê¡Á¡Á¡Á¤È»×¤Ã¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¤¬¡¢»³¤¬¤½¤³¤Ë¤¢¤Ã¤¿¤é¡¢ÅФꤿ¤¯¤Ê¤ë¤Î¤â¤Þ¤¿¿Í¾ð¡Ê¡°¡°¡¨ CT¥í¥°¥µ¡¼¥Ð¡¼¤ä³ÊǼ¤µ¤ì¤Æ¤¤¤ë¥Ç¡¼¥¿¤Ë¤Ä¤¤¤Æ¡¢¤¤¤í¤ó¤Ê¥Ä¡¼¥ë¤òºî¤ê¤Ê¤¬¤éÄ´ºº¤ò¤·¤Æ¤¤¤Þ¤¹¡£²¿²ó¤«¤Ëʬ¤±¤Æ¡¢CT¤Ë¤Ä¤¤¤Æ¤ï¤«¤Ã¤¿¤³¤È¤ò½ñ¤¤¤Æ¤¤¤³¤¦¤È»×¤Ã¤Æ¤Þ¤¹¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ

    CT¤ËÂбþ¤·¤Æ¤¤¤ë¤³¤È¤ò¼¨¤¹¤¿¤á¤Ë¡¢´ö¤Ä¤«ÊýË¡¤Ï¤¢¤ë¤Î¤Ç¤¹¤¬¡¢¼ÂºÝ¤ËÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ïȯ¹Ô¤¹¤ë¾ÚÌÀ½ñ¤ËSigning Time Stamp(SCT)³ÈÄ¥¤òËä¤á¹þ¤à¤³¤È¤Ç¤¹¡£TLS¤Î³ÈÄ¥¤äOCSP¤È¤Ä¤¤¤Ç¤ËÅϤ¹¤È¤¤¤¦ÊýË¡¤Î¼ÂÁõ¤ò¸«¤¿¤³¤È¤¬¤¢¤ê¤Þ¤»¤ó¡£

    SCT³ÈÄ¥¤ò´Þ¤á¤ë¤¿¤á¤Ë¤Ï¥×¥ì¾ÚÌÀ½ñ¤Ê¤ë¾ÚÌÀ½ñ¤¬É¬Íפˤʤë¤ó¤Ç¤¹¤¬¡¢¥×¥ì¾ÚÌÀ½ñ¤¬¤É¤ó¤Ê¤â¤Î¤«¡¢¤É¤ó¤Ê¥Õ¥í¡¼¤Çȯ¹Ô¤µ¤ì¤ë¤Î¤«¤Ï¤³¤Î¥¹¥é¥¤¥É¤ÇÀâÌÀ¤·¤Æ¤¤¤Þ¤¹¡£DigiCert¤µ¤ó¤Î´ö¤Ä¤«¤Î¥Ú¡¼¥¸¤Ç¤â¥×¥ì¾ÚÌÀ½ñ¤Ë¤Ä¤¤¤Æ²òÀ⤵¤ì¤Æ¤¤¤ë¤Î¤Ç¤è¤«¤Ã¤¿¤é¤´Í÷¤¯¤À¤µ¤¤¡£ [1] [2] [3]

    ¤³¤ì¤Þ¤Ç¤ËCT¤Î»ÅÁȤߤ¬Æ³Æþ¤µ¤ì¤ëÁ°¤Î¾ÚÌÀ½ñ¡¢CT¤ËÂбþ¤¹¤ëͽÄê¤Î¤Ê¤«¤Ã¤¿¾ÚÌÀ½ñ¤Ë´Ø¤·¤Æ¤ÏCT¤Î¥í¥°¥µ¡¼¥Ð¡¼¤ËÉáÄ̤ËX.509¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤¬³ÊǼ¤µ¤ì¤ë¤ó¤Ç¤¹¤¬¡¢CT¤Ë¤Þ¤È¤â¤ËÂбþ¤·¤è¤¦¤È¤·¤Æ¤¤¤ë¥Ù¥ó¥À¡¼¤Î¾ÚÌÀ½ñ¤Ï¡¢¥×¥ì¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤¬³ÊǼ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£Chrome¤Ç¡Ö¸ø³«´Æºº¾ðÊ󤬤¢¤ê¤Þ¤¹¡×¤Èɽ¼¨¤µ¤ì¤ë¤â¤Î¤Ë¤Ä¤¤¤Æ¤â¡¢¥×¥ì¾ÚÌÀ½ñ¥Ù¡¼¥¹¤ÎSCT³ÈÄ¥¤¬X.509¾ÚÌÀ½ñ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤â¤Î¤·¤«¡¢¤³¤Î¤è¤¦¤Ëɽ¼¨¤µ¤ì¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£

    º£Æü¤Î»þÅÀ¤Ç¡¢Google pilot¤ÎCT¥í¥°¥µ¡¼¥Ð¡¼¤Ë¤ÏÌó670Ëü¤Î¾ÚÌÀ½ñ¥Á¥§¡¼¥ó¤¬ÅÐÏ¿¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤Î¤¦¤Á¥×¥ì¾ÚÌÀ½ñ¤È¤·¤ÆÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë¤â¤Î(=Chrome¤Ç¸ø³«´Æºº¤¢¤ê¤Èɽ¼¨¤µ¤ì¤ë¤â¤Î)¤Ï16ËüËçʬ¤·¤«¤¢¤ê¤Þ¤»¤ó¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô¿ä°Ü

    Google pilot¥í¥°¥µ¡¼¥Ð¡¼¤Ø¤Î¥¨¥ó¥È¥ê¤ÎÅÐÏ¿¼«ÂΤÏ2013ǯ3·î26Æü¤«¤é¡¢´û¸¤Î¾ÚÌÀ½ñ(¥Ñ¥¹)¤Ë¤Ä¤¤¤ÆÅÐÏ¿¤¬³«»Ï¤µ¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢CTƳÆþ°Ê¹ß¤Î¥×¥ì¾ÚÌÀ½ñȯ¹ÔËç¿ô¿ä°Ü¤ò¥°¥é¥Õ¤Ç¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£
    blog-pre
    ºÇ½é¤Î¥×¥ì¾ÚÌÀ½ñ¤¬Google pilot¤ÎCT¥í¥°¥µ¡¼¥Ð¡¼¤ËÅÐÏ¿¤µ¤ì¤¿¤Î¤¬¡¢2013ǯ11·î¤Ç¡¢¥×¥ì¾ÚÌÀ½ñ¤È¤¤¤¦¤«SCTÂбþ¤Î¾ÚÌÀ½ñȯ¹Ô¤ò¥µ¡¼¥Ó¥¹¤È¤·¤ÆÀµ¼°¤Ë¥µ¥Ý¡¼¥È¤·»Ï¤á¤¿¤Î¤Ï2014ǯ12·îº¢¤Ç¤¢¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    CT¤ÎÂбþ¤¬Áᤫ¤Ã¤¿¤Î¤Ï¤É¤³¤Îǧ¾Ú¶É(¥Ö¥é¥ó¥É)¤«

    2015ǯ9·î»þÅÀ¤Ç¡¢96¤ÎÃæ´Öǧ¾Ú¶É(¥µ¥ÖCA)¡¢30¤Î¥Ö¥é¥ó¥É¤¬¥×¥ì¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤¤¤Þ¤¹¡£ ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹Ô¤¬Áᤫ¤Ã¤¿30¤Î¥Ö¥é¥ó¥É¤Î½ç½ø¡¢È¯¹ÔÆü¤Ï°Ê²¼¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤·¤¿¡£

    ǧ¾Ú¶É¥Ö¥é¥ó¥É½é¥×¥ì¾ÚÌÀ½ñȯ¹ÔÆü
    DigiCert2013ǯ11·î01Æü
    COMODO2014ǯ01·î23Æü
    TAIWAN-CA2014ǯ05·î09Æü
    Entrust2014ǯ07·î21Æü
    AffirmTrust2014ǯ10·î27Æü
    Symantec2014ǯ11·î11Æü
    GlobalSign2014ǯ11·î28Æü
    GeoTrust2014ǯ12·î08Æü
    Thawte2014ǯ12·î08Æü
    Buypass2014ǯ12·î10Æü
    Network Solutions2014ǯ12·î15Æü
    USERTRUST2014ǯ12·î16Æü
    Trend Micro2014ǯ12·î22Æü
    Starfield2014ǯ12·î23Æü
    Go Daddy2014ǯ12·î23Æü
    TERENA2014ǯ12·î29Æü
    Trustwave2015ǯ01·î05Æü
    Cybertrust2015ǯ01·î07Æü
    VeriSign2015ǯ01·î12Æü
    QuoVadis2015ǯ01·î14Æü
    HydrantID2015ǯ01·î22Æü
    Google UK2015ǯ01·î27Æü
    Aetna2015ǯ01·î29Æü
    IZENPE2015ǯ02·î04Æü
    Certum2015ǯ02·î05Æü
    Camerfirma2015ǯ02·î20Æü
    NCC2015ǯ03·î30Æü
    SECOM Trust2015ǯ04·î30Æü
    Actalis2015ǯ05·î18Æü
    WoSign2015ǯ08·î20Æü
    CT¤Î»ÅÍͺöÄê¤ä¼ÂÁõ¤Ê¤É¤ÇGoogle¤È¶¨ÎÏ´Ø·¸¤Ë¤¢¤Ã¤¿DigiCert¤¬Âбþ¤¬Áᤤ¤Î¤Ï¤¤¤¤¤È¤·¤Æ¡¢ÂæÏѤÎTAIWAN-CA(TWCA)¤¬ÂбþÁᤫ¤Ã¤¿¤ó¤Ç¤¹¤Í¤§¡£ÆüËܤΥ٥ó¥À¡¼¤µ¤ó¤â´èÄ¥¤Ã¤Æ¤¤¤Þ¤¹¡£

    ¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô½ç°Ì

    ¼¡¤Ë¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹ÔËç¿ô¤Ç¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£Âç¼ê¤¬Â¿¤¤¤Î¤ÏÅö¤¿¤êÁ°¤È¤·¤Æ¡¢ Cybertrust¤µ¤ó´èÄ¥¤Ã¤Æ¤¤¤ë´¶¤¬¤¢¤ê¤Þ¤¹¤Í¡£ ¤½¤¦¤¤¤¨¤Ð¡¢StartSSL¤Ï¤É¤¦¤Ê¤Ã¤Æ¤ë¤ó¤Ç¤·¤ç¤¦¤«¡£ 10ËçÄøÅٰʲ¼¤Î¤È¤³¤í¤Ï¡¢¤Þ¤À¥Æ¥¹¥ÈÃæ¤Ã¤Æ´¶¤¸¤Ç¤¹¤«¤Í¡£

    ǧ¾Ú¶É¥Ö¥é¥ó¥É¥×¥ì¾ÚÌÀ½ñȯ¹ÔËç¿ô
    Symantec50760
    DigiCert20856
    GeoTrust17447
    COMODO14573
    Cybertrust13020
    Go Daddy12635
    Thawte9891
    Entrust6616
    GlobalSign6063
    TERENA2363
    QuoVadis1873
    Google UK1861
    Starfield1262
    Network Solutions939
    Trend Micro615
    Certum367
    VeriSign196
    WoSign187
    Trustwave177
    SECOM Trust161
    Buypass154
    IZENPE116
    TAIWAN-CA76
    HydrantID37
    Aetna34
    NCC25
    AffirmTrust10
    Actalis7
    USERTRUST7
    Camerfirma4

    ¤É¤ó¤Ê¥Ä¡¼¥ë¤ò¤Ä¤¯¤Ã¤¿¤«

    Ä´¤Ù¤ë¤Ë¤¢¤¿¤Ã¤Æ¤Ï¡¢Perl¤äNode(+jsrsasign)¤Ê¤É¤Ç´ö¤Ä¤«¥Ä¡¼¥ë¤òºî¤Ã¤¿¤ê¤Ü¤Á¤Ü¤Á´Ä¶­¤òÀ°È÷¤·¤Æ¤¤¤Þ¤¹¡£¸ø³«¤·¤Æ¤â¤¤¤¤¤ó¤Ç¤¹¤±¤É¡¢¥É¥­¥å¥á¥ó¥ÈÀ°È÷¤·¤¿¤ê¡¢¥³¥Þ¥ó¥É¥é¥¤¥ó¥ª¥×¥·¥ç¥ó¤Ê¤É¤Á¤ã¤ó¤Èºî¤ê¹þ¤Þ¤Ê¤¤¤È¡¢¡Ö¥É¥­¥å¥á¥ó¥È¤¬¤Ê¤¤¤«¤é»È¤¤¤â¤ó¤Ë¤Ê¤ó¤Í¡Á¡Á¡ª¡ª¡×¤È¤«Åܤé¤ì¤ÆÈó¾ï¤Ë¥Ø¥³¤à¤ó¤¹¤è¤Í¡£¥ª¡¼¥×¥ó¥½¡¼¥¹¤Ê¤ó¤À¤«¤é¡¢¤Á¤ç¤Ã¤È¥³¡¼¥É¤ß¤Æ¤¯¤ì¤ê¤ã¤¤¤¤¤·¡¢¥Æ¥¹¥È¥³¡¼¥É¸«¤ê¤ã¤½¤Î¤Þ¤Þ»È¤¤Êý¥º¥Ð¥ê¤Ê¤Î¤Ç¡¢¡¢¡¢¤È»×¤¦¤ó¤¹¤±¤É¤Í¡Á¡Á¡Á¡£(jsrsasign¤Î¶òÃԤäݤ¯¤Æ¤¹¤ß¤Þ¤»¤ó¡£)

    ¤¶¤Ã¤¯¤ê¤³¤ó¤Ê¥Ä¡¼¥ë¤òºî¤Ã¤Æ¤ß¤Æ¤¤¤Þ¤¹¡£(¾¤Ë¤â¤¤¤í¤¤¤í¤¢¤ê¤Þ¤¹¤¬¡¢º£²ó¤Ë´Ø·¸¤¹¤ëʬ¤À¤±¡£)

    • ¥×¥ì¾ÚÌÀ½ñ¤È¤½¤Î²òÀϾðÊó¤À¤±¤ò½¸¤á¤¿SQLite¥Ç¡¼¥¿¥Ù¡¼¥¹
    • ¥í¥°¥¨¥ó¥È¥ê¤Îleaf_inputÊݸ¥Ä¡¼¥ë
    • ¥í¥°¥¨¥ó¥È¥ê¤Îextra_dataÊݸ¥Ä¡¼¥ë
    • ¥í¥°¥¨¥ó¥È¥ê¤«¤é¥×¥ì¾ÚÌÀ½ñ¤Î¥Á¥§¡¼¥ó¤ò¼è¤ê½Ð¤·¤Æ¾ÚÌÀ½ñ¤È¤·¤ÆÊݴɤ¹¤ë¥Ä¡¼¥ë
    • leaf_input¤Î¥Ç¡¼¥¿¥Õ¥¡¥¤¥ë¤Î²òÀϥġ¼¥ë
    • ¥×¥ì¾ÚÌÀ½ñ¤ÎTBSCertificate¤«¤é¥Ë¥»½ð̾¤ò¤Ä¤±¤ÆŬÅö¤Ê¾ÚÌÀ½ñ¤Ë»ÅΩ¤Æ¤ë¥Ä¡¼¥ë (TBSCertificate¥Ó¥å¡¼¥¢¡¼¤Ã¤Æ°ìÈÌŪ¤Ë̵¤¤¤Î¤Ç¤³¤ì¤¬¤Ç¤­¤ë¤È ÉáÄ̤ξÚÌÀ½ñ¥Ó¥å¡¼¥¢¡¼(openssl x509¥³¥Þ¥ó¥É¤Ê¤É)¤¬»È¤¨¤ë¤Î¤Ç¤È¤Æ¤âÊØÍø¡£)
    • ¥í¥°¥¨¥ó¥È¥ê¤ÎÅÐÏ¿Æü¤òɽ¼¨¤¹¤ë¥Ä¡¼¥ë

    ¤ª¤ï¤ê¤Ë

    º£²ó¤Ï¡¢¥í¥°¥Ç¡¼¥¿¥Ù¡¼¥¹¤òÄ´¤Ù¤Æ¤ï¤«¤Ã¤¿¡¢Åý·×Ū¤ÊÏäòÃæ¿´¤Ë¥ì¥Ý¡¼¥È¤·¤Þ¤·¤¿¡£¼¡²ó¤Ï¥Ç¡¼¥¿¹½Â¤¡¢¥×¥ì¾ÚÌÀ½ñ¤ÎÆâÍƤʤ󤫤òÃæ¿´¤Ë½ñ¤±¤ë¤È¤¤¤¤¤Ê¤È»×¤Ã¤Æ¤Þ¤¹¡£¤Ç¤Ï¤Ç¤Ï¡£

    Certificate Transparency¤Ç¤ï¤«¤Ã¤¿¤È¤¤¤¦Thawte¤Ë¤è¤ëgoogle.com¾ÚÌÀ½ñ¤ÎÉÔÀµÈ¯¹Ô¡©¡©¡©

    2015ǯ9·î19Æü(ÅÚ)¤Ë¡ÖSymantec caught issuing rogue Google.com certificates¡× ¤È¤¤¤¦µ­»ö¤¬Èô¤Ó¹þ¤ó¤Ç¤­¤Æ¡¢Ç§¾Ú¶É¡¢¾ÚÌÀ½ñ¡¢SSL´Ø·¸¤Î¥¤¥ó¥·¥Ç¥ó¥È¤À¤È ¤ï¤¯¤ï¤¯¤·¤ÆÈô¤Ó¤Ä¤¯¤ï¤±¤Ç¤¹¤¬¡¢¤¶¤Ã¤ÈÆɤó¤Ç¤ß¤ë¤È

    Âç¼ê¥»¥­¥å¥ê¥Æ¥£¥Ù¥ó¥À¡¼¤ÎSymantec¤Î»Ò²ñ¼Ò¤ÇÄã²Á¤Ê¾ÚÌÀ½ñ¤Îȯ¹Ô¥µ¡¼¥Ó¥¹¤ò¤ä¤Ã¤Æ¤¤¤ë Thawte¤¬¡¢2015ǯ9·î14Æü¤Ëgoogle.com¡¢www.google.comÍѤÎEV SSL¾ÚÌÀ½ñ¤ò¡¢Google¤Ëλ²ò¤Ê¤¯ ÉÔÀµ¤Ëȯ¹Ô¤·¤Æ¤¤¤¿¤³¤È¤¬¡¢¾ÚÌÀ½ñ¤Î¸ø³«´Æººµ­Ï¿(Certificate Transparency)¤Ë¤è¤ê¤ï¤«¤Ã¤¿¡£
    ¤È¤¤¤¦»ö¤Î¤è¤¦¤Ç¤¹¡£¸·³Ê¤Ê¿³ºº¤Çȯ¹Ô¤µ¤ì¤ëEV¾ÚÌÀ½ñ¤Ç¤³¤Î¤è¤¦¤ÊÌäÂ꤬µ¯¤­¤Á¤ã¤¦¤Î¤Ï ¥Þ¥º¥¤¤Ç¤¹¤Í¡Á¡£Twitter¤Ç¤Ï¤³¤Î¤è¤¦¤Ë¸À¤Ã¤Æ¤¤¤ë¿Í¤â¤¤¤Æ¡¢
    ¡ÖCertificate Transparency¤¬¤¢¤Ã¤¿¤ª¤«¤²¤À¤Í¡£¤è¤«¤Ã¤¿¤Í¡£¡×¤ß¤¿¤¤¤ÊÊ·°Ïµ¤¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢ºÇ°­¤À¤Ê¤¡¤È»×¤Ã¤Æ¤¤¤ë¤ï¤±¤Ç¤¹¡£ º£Æü¤Ï¥·¥ë¥Ð¡¼¥¦¥£¡¼¥¯¤Ç²Ë¤Ç¤¹¤·¡¢¤½¤Î¤¢¤¿¤ê¤Î»ö¤ò½ñ¤¤¤Æ¤ß¤è¤¦¤È»×¤¤¤Þ¤¹¡£

    Certificate Transparency¤È¤Ï

    Certificate Transparency(°Ê²¼ CT)¤È¤Ï¡¢Google¤ÎÃæ¤Î¿Í¤¬¹Í¤¨¤¿»ÅÁȤߤǡ¢ Á´¤Æ¤Îǧ¾Ú¶É¤«¤éȯ¹Ô¤µ¤ì¤¿²áµî¤«¤é¸½ºß¤ÎSSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ(¤È¾ÚÌÀ½ñ¥Á¥§¡¼¥ó)¤òÁ´¤Æ¡¢ ¥í¥°¥µ¡¼¥Ð¡¼¤È¸À¤ï¤ì¤ë¥µ¡¼¥Ð¡¼¤Ëµ­Ï¿¤·¤Æ¸ø³«¤·¡¢ ÉÔÀµ¤Ê¾ÚÌÀ½ñ¤Îȯ¹Ô¤òÀ¤³¦Ãæ¤Î¤ß¤ó¤Ê¤ÇÁ᤯¸«¤Ä¤±¤Æ¤Þ¤·¤ç¤¦¤È¤¤¤¦»ÅÁȤߤǤ¹¡£ °ìÉô¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤Ç¤Ï¤â¤¦Âбþ¤¬»Ï¤Þ¤Ã¤Æ¤ª¤ê¡¢ ¡ÖÆ©¤«¤·Æþ¤ê¾ÚÌÀ½ñ¡×¤Ê¤É¤È¸À¤Ã¤Æ¤¤¤ë²ñ¼Ò¤µ¤ó¤â¤¢¤ê¤Þ¤¹¤¬¡¢ ¡Ö¾ÚÌÀ½ñȯ¹Ô¤ÎÆ©ÌÀÀ­¡×¤È¸À¤Ã¤¿Êý¤¬°ÕÌ£¤òÀµ¤·¤¯ÅÁ¤¨¤é¤ì¤ë¤È»×¤¤¤Þ¤¹¡£

    ÅÐÏ¿¤Î¤¿¤á¤Î¥×¥í¥È¥³¥ë¡¢Êݴɤµ¤ì¤ë¥Ç¡¼¥¿¥Õ¥©¡¼¥Þ¥Ã¥È¡¢»ÅÁȤߤϼ¸³RFC¤Ë¤â¤Ê¤Ã¤Æ¤ª¤ê¡¢¥í¥°¥µ¡¼¥Ð¡¼¤ä¥¦¥§¥Ö¥Ö¥é¥¦¥¶¤äǧ¾Ú¶É¤Î¼ÂÁõ¤Î¼ÂÀÓ¤¬½½Ê¬¤Ç¤­¤¿¤«¤é¤È¤¤¤¦Íýͳ¤Ç¥¹¥¿¥ó¥À¡¼¥É¥È¥é¥Ã¥¯¤Ë°Ü¤¹·×²è¤â¤µ¤ì¤Æ¤¤¤Þ¤¹¡£

    CT¤Ë´Ø¤·¤Æ¤Ï¡¢¤³¤Î1ǯ¤Û¤É¾Ü¤·¤¯¸«¤Æ¤¤¤Æ¡¢ÍÍ¡¹¤ÊÌäÂ꤬¤¢¤ë»ö¤«¤éCT¤ÎÍøÍѤˤĤ¤¤ÆÈÝÄêŪ¤Ê°Õ¸«¤ò»ý¤Ã¤Æ¤¤¤Æ¡¢ÊÙ¶¯²ñ¤Ê¤É¤Ç¤â¿ô²ó¤ªÏ䵤»¤Æ¤¤¤¿¤À¤¤¤Æ¤¤¤Þ¤¹¡£


    ´Ø·¸¼Ô¤«¤é¤Î¥³¥á¥ó¥È¤ò¸«¤Æ¤ß¤ë

    º£²ó¤Î»ö·ï¤Ë¤Ä¤¤¤Æ¡¢Google¤Î¥»¥­¥å¥ê¥Æ¥£¡õ¥×¥é¥¤¥Ð¥·¡¼¤ÈCTôÅö¤¹¤ë¥×¥í¥¸¥§¥¯¥È¥Þ¥Í¡¼¥¸¥ã¡¼¤¬¥Ö¥í¥°¤Ç¡ÖImproved Digital Certificate Security¡×¤È¤¤¤¦µ­»ö¤ò9·î18Æü¤Ëȯɽ¤·¤Æ¤ª¤ê¡¢

    • 9·î14Æü19:20 GMTº¢¡¢Symantec¤Î»Ò²ñ¼ÒThawte¤ÎCA¤¬ google.com¤Èwww.google.comÍѤΥץì¾ÚÌÀ½ñ(pre-certificate)¤òȯ¹Ô¤·¤¿¡£
    • ¤³¤Î¥×¥ì¾ÚÌÀ½ñ¤Îȯ¹Ô¤Ï¡¢Google¤¬Í׵ᤷ¤¿¤â¤Î¤Ç¤Ï¤Ê¤¯¡¢Thawte¤¬¾¡¼ê¤Ëȯ¹Ô¤·¤¿¤â¤Î¡£
    • Google¤Ï¡¢CT¥í¥°¤«¤é¤³¤ÎÉÔÀµÈ¯¹Ô¤òȯ¸«¤·¤¿¡£
    • Google¤ÈThawte(Symantec)¤Î¾ðÊó¸ò´¹¤Ë¤è¤ê¡¢Thawte¤ÎÆâÉô¥Æ¥¹¥ÈÌÜŪ¤Îȯ¹Ô¤À¤È¤ï¤«¤Ã¤¿¡£
    • Google¤ÏChrome¤Ë·ÇºÜ¤µ¤ì¤ë¼º¸ú¾ðÊó¤Ë»ÈÍѤµ¤ì¤¿¸ø³«¸°¤òÅÐÏ¿¤·Ìµ¸ú²½¤·¤¿¡£
    • ¸½»þÅÀ¤Ç¤Ï¥ê¥¹¥¯¤Ï̵¤¤¡£
    ¤È¤·¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤ËÂФ·¡¢Thawte(Symantec)¤Î´Ø·¸¼Ô¤ÏƱ9·î18Æü¤Ë ¡ÖA Tough Day as Leaders¡×¤È¤¤¤¦¥Ö¥í¥°¤ò¸ø³«¤·¤Æ¤ª¤ê¡¢
    • 3¤Ä¤Î¥É¥á¥¤¥ó¤ËÂФ·¤Æ¿ôËç¤Î¥Æ¥¹¥È¾ÚÌÀ½ñ¤ò¡¢ÆâÉô¤ÇÉÔŬÀÚ¤Ëȯ¹Ô¤·¤Æ¤·¤Þ¤Ã¤¿¡£
    • ¤³¤ì¤é¤Î¸°¤ÏThawte¤Î´ÉÍý²¼¤Ë¤¢¤ê¡¢ÌäÂ꤬ȯ¸«¤µ¤ì¤Æ¤«¤é¤¹¤°¤Ë¾ÚÌÀ½ñ¤ò¼º¸ú¤µ¤»¤¿¡£
    • ¸½»þÅÀ¤Ç¤Ï¥¤¥ó¥¿¡¼¥Í¥Ã¥È¾å¤Ç¤¤¤«¤Ê¤ë´í¸±¤â¤Ê¤¤¡£
    • Åö³º¤Î¥É¥á¥¤¥ó¤Î¥ª¡¼¥Ê¡¼¤Ë¤ÏÊó¹ð¤·¤¿¡£
    • ±¿ÍѾå¤Î¥ß¥¹(human error)¤Ç¤¢¤Ã¤¿¤¬ºÆȯËɻߤËÅؤá¤ë¡£
    ¤È¤·¤Æ¤¤¤Þ¤¹¡£¤³¤Îµ­»ö¤Ç¤Ï¡Ö(²æ¡¹¤Ï)¥»¥­¥å¥ê¥Æ¥£¶È³¦¤Î¥ê¡¼¥À¡¼¤À¤«¤é(±¾¡¹)¡×¤È¤¤¤¦ ɽ¸½¤¬²¿Å٤⤢¤Ã¤Æ¡¢¥³¥á¥ó¥ÈÍó¤Ë¡Ö¤Á¤Ã¤È¤â¥ê¡¼¥À¡¼¤È¤·¤Æ¤ÎÂбþ¤¸¤ã¤Ê¤¤¤¸¤ã¤ó¡×¤ß¤¿¤¤¤Ê »ö¤¬½ñ¤«¤ì¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤ÎÄ̤ê¤Ç¡¢¤«¤Ê¤ê̵ÀÕǤ¤ÊÊó¹ð¤À¤·¡¢ ¤³¤ì¤Ç½ª¤ï¤ê¤Ë¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¤È»×¤¤¤Þ¤¹¡£Êó¹ð¤Ï°Ê²¼¤ÎÅÀ¤ÇÉÔËþ¤¬»Ä¤ê¤Þ¤¹¡£
    • ¤¤¤Ä¡¢ÉÔÀµ¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¡¢ÌäÂ꤬ȯ³Ð¤·¡¢GoogleÅù¤È¶¨µÄ¤·¡¢ ¾ÚÌÀ½ñ¤ò¼º¸ú¤µ¤»¡¢¥Ö¥é¥¦¥¶¤Î¾ÚÌÀ½ñ¥Ö¥é¥Ã¥¯¥ê¥¹¥È¤Ëµ­ºÜ¤·¤¿¤«¡¢»þ·ÏÎó¤¬ÌÀ¤é¤«¤Ç¤Ê¤¤¡£
    • ȯ¹ÔÂоݤΥɥᥤ¥ó¤¬ÌÀ¤é¤«¤Ç¤Ê¤¤¡£google.com¡¢www.google.com¤È°ì¤Ä¤Ï²¿¤«¡£
    • ²¿¤Î¥Æ¥¹¥È¤Ç¤¢¤Ã¤¿¤Î¤«¡¢¥Æ¥¹¥ÈÌÜŪ¤âÌÀ¤é¤«¤Ç¤Ê¤¤¡£
    • ¤Ê¤¼¡¢¥Æ¥¹¥È´Ä¶­¤Ç¤ä¤é¤Ê¤«¤Ã¤¿¤Î¤«ÌÀ¤é¤«¤Ç¤Ê¤¤¡£ËÜÍè¡¢ËÜÈִĶ­¤Ç¥Æ¥¹¥È¤¹¤Ù¤­¤Ç¤Ê¤¤¤Î¤Ë¡£
    • ¤Ê¤¼¡¢example.comÅù¥Æ¥¹¥ÈÍѤΥɥᥤ¥ó¤Ç¤ä¤é¤Ê¤«¤Ã¤¿¤Î¤«¡£ Æäˡ¢google.com¤Ï¹ñ²È¥ì¥Ù¥ë¤Ç¤ÎÅðÄ°¤Ë»È¤ï¤ìÌäÂê¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ë¡£
    • Thawte EVÍÑǧ¾Ú¶É¤Î±¿Íѵ¬Äø°ãÈ¿¤Ç¤¢¤ë²ÄǽÀ­¤¬¹â¤¤¤¬¡¢¸ÀµÚ¤¬¤Ê¤¤¡£
    • EV¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ëǧ¾Ú¶É¤Î´Æºº´ð½à¤Ç¤¢¤ë¡¢ WebTrust for CA - EV´Æºº´ð½à¤È¾È¤é¤·¤Æ¤É¤¦¤À¤Ã¤¿¤Î¤«¡£
    Thawte¤Ï¤³¤ì¤Þ¤Ç¤Ë¤â´ö¤Ä¤«¤ÎÌäÂê¤òµ¯¤³¤·¤Æ¤ª¤ê¡¢ ¶È³¦¤«¤é¡ÖÂà¾ì¡×夤¤¿¤Û¤¦¤¬¤¤¤¤¤ó¤¸¤ã¤Ê¤¤¤«¤Ê¡¢¤È¤â»×¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£

    ¤µ¤Æ¤µ¤Æ¡¢¤¸¤ã¤¡CTÇÁ¤¤¤Æ¤ß¤Þ¤¹¤«

    Àè¤Ë¡¢¡Ö¥×¥ì¾ÚÌÀ½ñ¡×¤Ë¤Ä¤¤¤Æ´Êñ¤ËÀâÌÀ¤·¤Æ¤ª¤­¤Þ¤·¤ç¤¦¡£ ÊÙ¶¯²ñ¥¹¥é¥¤¥É¤Î¤³¤Î¥Ú¡¼¥¸¤ò¤ß¤ë¤È¤¤¤¤¤ó¤Ç¤¹¤¬¡¢CT¤Ë¾ÚÌÀ½ñ¤Îȯ¹Ô¥í¥°¤¬µ­Ï¿¤µ¤ì¤¿¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë¤¿¤á¤Ë°Ê²¼¤Î¼ê½ç¤Çȯ¹Ô¤µ¤ì¤Þ¤¹¡£

    1. ǧ¾Ú¶É¤Ïȯ¹ÔͽÄê¤Î¾ÚÌÀ½ñ¤Î¥Ç¡¼¥¿(TBSCertificate)¤«¤é¥×¥ì¾ÚÌÀ½ñ¤òºî¤Ã¤Æ¥í¥°¥µ¡¼¥Ð¡¼¤ËÁ÷¤ë¡£
    2. ¥í¥°¥µ¡¼¥Ð¡¼¤Ç¥×¥ì¾ÚÌÀ½ñ¤ò¥í¥°ÅÐÏ¿¤·¡¢ÅÐÏ¿¤Î¾Úµò¤È¤·¤ÆSigned Certificate Timestamp(SCT)¤È¤¤¤¦½ð̾¥Ç¡¼¥¿¤òǧ¾Ú¶É¤ËÁ÷¤êÊÖ¤¹¡£
    3. ǧ¾Ú¶É¤Ï¡¢¥í¥°¥µ¡¼¥Ð¡¼¤ËÅÐÏ¿¤µ¤ì¤¿¾Úµò¤Ç¤¢¤ëSCT¤ò¾ÚÌÀ½ñ³ÈÄ¥Îΰè¤Ë´Þ¤á¡¢¾ÚÌÀ½ñ¤òȯ¹Ô¤¹¤ë¡£
    ¥×¥ì¾ÚÌÀ½ñ¤Ï¡¢¥í¥°¥µ¡¼¥Ð¡¼¤ËÅÐÏ¿¤µ¤ì¤ë¾ðÊó¤Ç¡¢¡Öǧ¾Ú¶É¤¬¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤è¤¦¤È¤·¤¿¾Úµò¡×¤È¤·¤Æ¥í¥°¥µ¡¼¥Ð¡¼¤«¤é¸ø³«¤µ¤ì¤ë¤â¤Î¤Ç¤¹¡£

    Google¤«¤é¤Îȯɽ¤Ë¤è¤ë¤È¡¢¥×¥ì¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿¤Î¤Ï9·î14Æü19:20 GMTº¢¤À¤½¤¦¤Ê¤Î¤Ç¡¢ CT¥í¥°¥µ¡¼¥Ð¡¼¤Ë¥¢¥¯¥»¥¹¤·¤Æ¤½¤Î»þ´Ö¤¢¤¿¤ê¤Î¥í¥°¥¨¥ó¥È¥ê¤ò¤«¤­½¸¤á¤Þ¤¹¡£ CT¤Î¥Ç¡¼¥¿¹½Â¤¤ä¤é¥¢¥¯¥»¥¹API¤¬Á´¤¯¥¤¥±¤Æ¤Ê¤¯¤Æ¡¢SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Îȯ¹ÔÂÐ¾Ý ¥É¥á¥¤¥ó̾¤äǧ¾Ú¶É¤«¤é¸¡º÷¤¹¤ë¤³¤È¤ÏÁ´¤¯¤Ç¤­¤º¡¢¤È¤ê¤¢¤¨¤º¼è¤ê½Ð¤·¤Æ¤«¤éÄ´¤Ù¤Æ¤ß¤Ê¤¤¤È ¤¤¤±¤Ê¤¤¤ó¤Ç¤¹¤è¡£Á´¤¯¡¢¸¡º÷¤µ¤»¤ëµ¤¤¢¤ë¤ó¤Ç¤¹¤«¤Í¤§¡©Ã¯¤¬¤³¤ó¤Ê¹ó¤¤APIºî¤Ã¤¿¤ó¤Ç¤¹¤«¤Í¤§¡©

    ºÇ°­¤Ê¤³¤È¤Ë¤Ï¡¢¥í¥°¥µ¡¼¥Ð¡¼¤Î¥Ç¡¼¥¿¤Î¥ß¥é¡¼¤ò²ñ¼Ò¤ËÃÖ¤¤¤Æ¤­¤Æ¤·¤Þ¤¤¡¢ ²È¤ÎMac¤Ç¤Ï¡¢¤Ê¤¼¤«¼«ºî¤ÎPerl¤Î¥Ä¡¼¥ë·²¤âÆ°¤«¤Ê¤¤¤·(CPAN¥â¥¸¥å¡¼¥ë¤¬Æþ¤é¤Ê¤¤)¡¢ Ruby¤Î¥Ä¡¼¥ë¤â¤Ê¤¼¤«Æ°¤«¤º(¿·¤·¤¤¥Ð¡¼¥¸¥ç¥ó¤À¤ÈÆ°¤«¤Ê¤¤)¡¢ »ÅÊý¤Ê¤¤¤Î¤ÇNode¤Ç¤Á¤ã¤Á¤ã¤Ã¤È¥Ä¡¼¥ëºî¤êľ¤¹»ÏËö¡¢¡¢¡¢orz

    ¤È¤ê¤¢¤¨¤º¡¢Google¤Îpilot¥í¥°¥µ¡¼¥Ð¡¼¤ËÂФ·¤Æ¡¢9·î14Æü¤Î19:10¡Á19:30º¢¤Î´Ö¤Î ¥í¥°¥¨¥ó¥È¥ê¤ò¼è¤ê½Ð¤½¤¦¤«¤È¤¹¤ë¤ï¤±¤Ç¤¹¤¬¡¢»þ´Ö»ØÄê¤Ç¥¨¥ó¥È¥ê¤ò¼è¤ê½Ð¤¹¤³¤È¤â ¤Ç¤­¤Ê¤¤¤Î¤Ç¡¢¤Þ¤º¡¢Å¬Åö¤Ê¥¤¥ó¥Ç¥Ã¥¯¥¹¤Î¥¨¥ó¥È¥ê¤ò¼è¤ê½Ð¤·¤Æ¡¢»þ´Ö¤Î¤¢¤¿¤ê¤ò¤Ä¤± ÅÐÏ¿»þ¹ï¤Î¥¿¥¤¥à¥¹¥¿¥ó¥×¤òÄ´¤Ù19:10¤Î¤ª¤ª¤è¤½¤Î¥¤¥ó¥Ç¥Ã¥¯¥¹¤ÎÃͤòÄ´¤Ù¤Þ¤¹¡£ Node¤Ç»ØÄꥤ¥ó¥Ç¥Ã¥¯¥¹¤Î»þ¹ï¤òÄ´¤Ù¤ë¥Ä¡¼¥ë¤òºî¤ê¡¢ 9213980¤¬19:09:03¡¢9214310¤¬19:31:22¤À¤È¤ï¤«¤ê¤Þ¤·¤¿¡£¤½¤Î´Ö¤Î¥¨¥ó¥È¥ê¿ô¤Ï¡¢ 330¸Ä¤Ê¤ó¤Ç¡¢¤«¤Ê¤ê¹Ê¤ì¤Þ¤·¤¿¡£

    ¤½¤Î330¸Ä¤Î¥í¥°¥¨¥ó¥È¥ê¤ò¼è¤ê½Ð¤·¤Æ¡¢X.509¤Î¤Á¤ã¤ó¤È¤·¤¿¾ÚÌÀ½ñ¤Ï½ü¤¤¤Æ¡¢ ¥×¥ì¾ÚÌÀ½ñ¤À¤±¤ò¥Õ¥¡¥¤¥ë¤ËÍî¤È¤¹¥Ä¡¼¥ë¤òºî¤ê¡¢19¸Ä¤Î¥Õ¥¡¥¤¥ë¤ò¸«¤Æ¤¤¤¯¤È¡¢ 19:20:01¤Ëȯ¹Ô¤µ¤ì¤¿¥¤¥ó¥Ç¥Ã¥¯¥¹9214148¤Î¤â¤Î¤¬google.comÍѤΠ¥×¥ì¾ÚÌÀ½ñ¤½¤¦¤À¤È¤ï¤«¤ê¤Þ¤·¤¿¡£

    ¤Ê¤ó¤Ç¤³¤ó¤Ê¤Ë¼ê´Ö¤«¤Ã¤Æ¤¤¤¦¤È¡¢¤Ê¤ó¤«¡¢¤³¤ì¤é¤Î¥×¥ì¾ÚÌÀ½ñÍÑ¤Î¥í¥°¥¨¥ó¥È¥ê¤¬¡¢ RFC¤Çµ¬Äꤵ¤ì¤Æ¤¤¤ë¥Ç¡¼¥¿¹½Â¤¤È°ã¤¦¤Ã¤Ý¤¯¤Ã¤Æ¡¢Àμ«Ê¬¤Çºî¤Ã¤¿¥Ä¡¼¥ë¤Ç¤Ï¥Ñ¡¼¥º¤Ç¤­¤Ê¤¤ ¥Ç¡¼¥¿¹½Â¤¤Ë¤Ê¤Ã¤Á¤ã¤Ã¤Æ¤ë¤ó¤Ç¤¹¤è¤Í¡Á¡Á¡Á¡Á¡£Â¿Ê¬¡¢ÅÐϿ¦¤¬RFC°ãÈ¿¤·¤Æ¤¤¤ë¤Î¤Ç¤Ï ¤È»×¤¦¤ó¤Ç¤¹¤¬¡¢¡¢¡¢

    ¼¡¤Ë¥×¥ì¾ÚÌÀ½ñ¤ò¸«¤Æ¤ß¤Þ¤¹

    ÌÜŪ¤Î¥í¥°¥¨¥ó¥È¥ê¤¬¸«¤Ä¤«¤Ã¤¿¤Î¤Ç¡¢¥×¥ì¾ÚÌÀ½ñ¤ò¼è¤ê½Ð¤·¤ÆÃæ¿È¤ò¸«¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ¤Ç¤â¡¢¥Ç¡¼¥¿¸«¤¿¤é¥×¥ì¾ÚÌÀ½ñ¤ÎASN.1¹½Â¤¤¸¤ã¤Ê¤¯¤Æ¡¢Ã±¤Ëȯ¹ÔͽÄê¤ÎTBSCertificate¤Ê¤ó¤Ç¤¹¤è¤Í¡£ ¥×¥ì¾ÚÌÀ½ñÍѤγÈÄ¥¤â̵¤¤¤·¡¢¡¢¡¢¤Ê¤ó¤Ç¤À¤í¡£RFC°ãÈ¿¤¸¤ã¤Ê¤¤¤Î¤«¤Ê¤¡¡£ TBSCertificate¤ÎÃæ¿È¤Ï¤³¤ó¤Ê´¶¤¸¡£

    ¥·¥ê¥¢¥ëÈֹ桧0A B4 C7 3C 41 3A 01 94 9F 23 78 F2 B2 29 F6 6C
    ½ð̾¥¢¥ë¥´¥ê¥º¥à¡§SHA256withRSA
    ȯ¹Ô¼Ô̾¡§CN=thawte EV SSL CA - G3, O=thawte, Inc., CN=US
    Í­¸ú´ü´Ö¡§2015ǯ9·î14Æü 00:00:00 UTC¡Á2015ǯ9·î15Æü23:59:59 UTC
    ¼çÂμÔ̾¡§CN=google.com, L=Mountain view, ST=California, CN=US, SN=2158113, 
    ¡¡¡¡¡¡¡¡¡¡businessCategory=Private Organization,
    ¡¡¡¡¡¡¡¡¡¡organizationName=Symantec Corp, 
    ¡¡¡¡¡¡¡¡¡¡jurisdictionOfIncorporationSP=Delaware, 
    ¡¡¡¡¡¡¡¡¡¡jurisdictionOfIncorporationC=US
    ³ÈÄ¥Îΰ衧
    ¡¡¼çÂμÔÊÌ̾¡§www.google.com, google.com
    ¡¡´ðËÜÀ©Ì󡧶õ
    ¡¡¸°»ÈÍÑÌÜŪ¡§digitalSignature, keyEncipherment
    ¡¡CRLDP¡§http://ti.symcb.com/ti.crl
    ¡¡¾ÚÌÀ½ñ¥Ý¥ê¥·¡§
    ¡¡¡¡OID¡§Thawte EV policy (2 16 840 1 113733 1 7 48 1)
    ¡¡¡¡CPS¡§https://www.thawte.com/cps
    ¡¡¡¡UNotice¡§https://www.thawte.com/repository
    ¡¡³ÈÄ¥¸°»ÈÍÑÌÜŪ¡§serverAuth, clientAuth
    ¡¡È¯¹Ô¼Ô¸°¼±Ê̻ҡ§F07051DAD32A914F5277D78677740FCE711A6C22
    ¡¡AIA¡§
    ¡¡¡¡OCSP¡§http://ti.symcd.com
    ¡¡¡¡caIssuers¡§http://ti.symcb.com/ti.crt
    

    ¤¤¤ä¡Á¡Á¡¢¤â¤í¥·¥Þ¥ó¥Æ¥Ã¥¯¤¬¼çÂμԤˤʤäƤëgoogle.com¤ÎEVSSL¾ÚÌÀ½ñ¤Ë¤Ê¤Ã¤Á¤ã¤Ã¤Æ¤Þ¤¹¤Í¡Á¡Á¡£¤½¤ê¤ã¥Þ¥º¥¤¤Ç¤¹¤è¤Í¡Á¡Á¡Á¡£Thawte¤¬¾¡¼ê¤ËSymantec¼çÂμԤξÚÌÀ½ñ¤òȯ¹Ô¤·¤Á¤ã¤Ã¤Æ¤¤¤ë¤Î¤â¥Þ¥º¥¤¤Ç¤¹¤è¤Í¡£Í­¸ú´ü´Ö¤Ï1Æü¤È¤«¸À¤Ã¤Æ¤¿¤±¤É¡¢´ÝÆóÆü¤Ç¤¹¤è¤Í¡Á¡Á¡£

    ¤ª¤ï¤ê¤Ë

    ·ë¶É¤Ï¡¢Thawte¤Î¥ª¥Ú¥ß¥¹¤È¤¤¤¦¤«Â缺Â֤ǡ¢ËÜÈִĶ­¤Ç¡Ö¿À·Ð¤¬¥Ô¥ê¥Ô¥ê¤·¤Æ¤ëºÇ¤â¥Þ¥º¥¤¥É¥á¥¤¥ó¡×¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Á¤ã¤Ã¤¿¤Ã¤Æ¤³¤È¤Ê¤ó¤Ç¤¹¤¬¡¢¤Þ¤È¤â¤Êǧ¾Ú¶É¥½¥Õ¥È¥¦¥§¥¢¤ò»È¤Ã¤Æ¤¤¤ì¤ÐÆâÉô¤Î´Æºº¥í¥°¤Ë¤â»Ä¤ë¤·¡¢³°¤Ëϳ¤ì¤Ê¤­¤ãÆâÉô¥Æ¥¹¥È¤ÇºÑ¤ó¤Ç¤ë¤ó¤Ç¤¹¤¬¡¢Ç§¾Ú¶É¤¬¤·¤Ã¤«¤ê¤·¤Æ¤¤¤ì¤Ð¡¢¤³¤ó¤Ê¤³¤È¤Ï¤¢¤êÆÀ¤Ê¤¤¤Ï¤º¤Ê¤ó¤Ç¤¹¤è¤Í¡Á¡Á¡Á¡Á¡£CT¤Î±¿ÍѤÀ¤Ã¤Æ¤¤¤¤²Ã¸º¤À¤·¡¢µ»½ÑŪ¤Ë¤â´°Á´À­¤ò»ý¤¿¤Ê¤¤»ÅÁȤߤÀ¤·¡¢¥×¥é¥¤¥Ð¥·¡¼¤ÎÌäÂê¤â¤¢¤ë¤·¡¢CT¼«ÂΤˤ⤤¤í¤¤¤íÌäÂ꤬¤¢¤ë¤Î¤Ë¡¢¤½¤ó¤Ê¤³¤È¤ÏÁ´¤¯ÃíÌܤµ¤ì¤º¤Ë¡¢¡ÖCT¤¢¤Ã¤Æ¤è¤«¤Ã¤¿¡£¡×¤ß¤¿¤¤¤ÊÏÀÄ´¤Ë¤Ê¤Ã¤Æ¤Æ¡¢¤Ä¤±¤¤¤ë¥¹¥­¤òÍ¿¤¨¤Æ¤·¤Þ¤¤¥Û¥ó¥È»ÄÇ°¤À¤Ê¡¢¤È¡£Â¾¤Î¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤È¤¤¤¦¤«Ç§¾Ú¥Ù¥ó¥À¡¼¤ÏThawte¤ËÂФ·¤ÆÅܤäƤ¤¤¤¤·¡¢CA Browser Forum¤â¡¢SSL Browser Forum¤ß¤¿¤¤¤Ê¼ÂÂ֤ˤʤäƤë¤Î¤ÇÁ´¤¯Åö¤Æ¤Ë¤Ê¤é¤Ê¤¤¤·¡¢CA Security Council¤¢¤¿¤ê¤¬¸·¤·¤¯ÌäÂê¤Ë¤¢¤¿¤é¤Ê¤¤¤È¥Þ¥º¥¤¤È»×¤¦¤ó¤Ç¤¹¤±¤É¡¢¾ÚÌÀ½ñȯ¹Ô¥µ¡¼¥Ó¥¹¤ÎµÚ¤Ó¹ø¤Ë¤Ï¡¢¥¬¥Ã¥«¥ê¤·¤Æ¤Þ¤¹¡£

    Äɵ­1 (2015.09.21 20:05)

    ȯ¹Ô¤µ¤ì¤Æ¤¤¤ëCRL¤ò³Îǧ¤·¤¿¤È¤³¤í¡¢Á°½Ò¤Î google.com ÉÔÀµ¾ÚÌÀ½ñ¤Ï¡¢2015ǯ9·î16Æü 17:53:55 UTC¤Ë¼º¸ú¤µ¤ì¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤·¤¿¡£¤É¤¦¤»Í­¸ú´ü¸ÂÀÚ¤ì¤Ê¤Î¤Ç¼º¸ú¤µ¤»¤ë¤³¤È¤â¤Ê¤¤¤È»×¤¤¤Þ¤¹¤±¤É¤Í¡£

    Äɵ­ (2015.10.01 20:00)

    ¥í¥°¥µ¡¼¥Ð¡¼¤Î¥×¥ì¾ÚÌÀ½ñ¤ÎÁ´¥í¥°¥¨¥ó¥È¥ê¤Î²òÀÏÍÑ¥·¥¹¥Æ¥à¤òºî¤Ã¤Æ¤¤¤¿¤Î¤Ç¡¢Êó¹ðÃÙ¤¯¤Ê¤ê¤Þ¤·¤¿¡£ Symantec¤ÎÊó¹ð¤Ë¤Ï

    We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing.
    ¡Ö3¤Ä¤Î¥É¥á¥¤¥ó¡×¤È¤¢¤Ã¤¿¤Î¤Ç¡¢Åö³º¤Î¾ÚÌÀ½ñ www.google.com¤Ègoogle.com°Ê³°¤Ë¤É¤³¤«¤â¤¦°ì¤Ä¤¢¤ë¤Î¤Ç¤Ï¡©¤È»×¤¤¡¢¥×¥ì¾ÚÌÀ½ñ¤Î¥í¥°¥¨¥ó¥È¥ê¤òÁ´·ïÄ´ºº¤·¡¢¤Þ¤¿¡¢Åö³º¤Î¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤¿»þ´ü¤òÃí°Õ¿¼¤¯³Îǧ¤·¤¿¤È¤³¤í¡¢thawte¤«¤éȯ¹Ô¤µ¤ì¤¿¥×¥ì¾ÚÌÀ½ñ¤Ç¡¢Â¾¤Ë²ø¤·¤¤¤â¤Î¤Ï¤¢¤ê¤Þ¤»¤ó¤Ç¤·¤¿¡£¹Í¤¨¤é¤ì¤ë»ö¤È¤·¤Æ¡¢
    • ¼çÂμԼ±ÊÌ̾(DN)¤ÎCN¤Îwww.google.com
    • ¼çÂμÔÊÌ̾(subjectAltName)³ÈÄ¥¤Îwww.google.com
    • ¼çÂμÔÊÌ̾(subjectAltName)³ÈÄ¥¤Îgoogle.com
    ¤ò3¤Ä¤È¤·¤Æ¿ô¤¨¤Æ¤¤¤Æ¡¢·ë¶É¤Ï www.google.com¡¢google.com¤Î2¤Ä¤À¤±¤À¤Ã¤¿¤È¤¤¤¦»ö¤Ê¤ó¤Ç¤¹¤«¤Í¡£¤Þ¤¡¡¢Îɤ«¤Ã¤¿¤Î¤«¤â¤·¤ì¤Þ¤»¤ó¡£

    Äɵ­ (2015.11.01 23:59)

    10·î2Æü(or 10·î13Æü)¡¢Symantec¤¬º£²ó¤Î¥¤¥ó¥·¥Ç¥ó¥È¤Ë´Ø¤·¤ÆºÇ½ªÊó¹ð½ñ¤ò¸ø³«¤·¤Þ¤·¤¿¡£
    https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3b.pdf
    ¥ì¥Ý¡¼¥È¤Ë¤ÏÂ礷¤¿¤³¤È¤Ï½ñ¤«¤ì¤Æ¤¤¤Ê¤¤¤è¤¦¤Ë¸«¤¨¤Þ¤¹¡£

    ¤³¤ì¤ËÂФ·¤ÆGoogle¤¬¥Ö¥í¥°¤ËÅê¹Æ¤·¤Æ¤¤¤Þ¤¹¡£
    Sustaining Digital Certificate Security (2015/10/28)
    https://googleonlinesecurity.blogspot.jp/2015/10/sustaining-digital-certificate-security.html

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ8·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 6·î¤Ë°ú¤­Â³¤­º£·î¤â8·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Þ¤·¤ç¤¦¡£

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201508-vuln
    RC4¤ÎÍøÍѲÄǽΨ¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤ë¤Ê¤É¡¢¤ª¤ª¤à¤Í½çÄ´¤Ê´¶¤¸¤¬¤·¤Þ¤¹¤Í¡£¤Ä¤Þ¤é¤ó¡£

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201508-ssl
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬35.0%¤Þ¤Ç½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201508-crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢º£·î¤â½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ó¤Ç¤ª¤êSHA1withRSA¤¬31.9%¡¢SHA256withRSA¤¬67.2%¤Þ¤Ç¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201508-new
    ¤¦¡Á¤à¡¢¤³¤ì¤â¤Ä¤Þ¤é¤ó¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-kx
    ¸°¸ò´¹¤Î¸°Ä¹¤Ï½çÄ´¤Ë¡¢512bit¡¢1024bit¤ÎÍøÍѤò¤ä¤á¡¢2048bitÁêÅö¤Ë°Ü¹Ô¤¬¿Ê¤ó¤Ç¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-dh
    °Å¹æ¶¯Å٤ν½Ê¬¤Ç¤Ê¤¤DH1024bit¡¢512bit¤ÎÍøÍѤϽçÄ´¤Ë¸º¤ê¡¢2048bit¤ÏÁý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤½¤¦¤Ï¤¤¤Ã¤Æ¤âÂ礷¤¿Î¨¤Ç¤Ê¤¯¡¢¤ä¤Ï¤êDH/DHE¤Ï»È¤ï¤Ê¤¤¤Î¤¬Îɤ¤¤È»×¤¤¤Þ¤¹¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201508-ecdh
    ECDH/ECDHE¤¬»È¤¨¤Æ¤¤¤Ê¤¤¥µ¥¤¥È¤¬½çÄ´¤Ë¸º¤ê¡¢»È¤¨¤ë¥µ¥¤¥È¤¬Áý¤¨¤Æ¤ª¤ê¡¢ECC 256bit¤ÎECDH/ECDHE¤¬»È¤¨¤ë¥µ¥¤¥È¤¬58.5%¤Þ¤ÇÁý¤¨¤Æ¤¤¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    º£½µ¤Ï¡¢¥»¥­¥å¥ê¥Æ¥£¡¦¥­¥ã¥ó¥×Á´¹ñÂç²ñ¤ËÍè¤Æ¤¤¤ë¤Î¤Ç¡¢¤¢¤Ã¤µ¤êÉ÷Ì£¤Ç¡£

    ´ØÏ¢µ­»ö

    SSL Pulse¤ÎÅý·×¾ðÊó¤Ç¸«¤ëSSL/TLS (2015ǯ6·îÈÇ)

    SSL Pulse¥µ¥¤¥È(https://www.trustworthyinternet.org/ssl-pulse/)¤Ï¡¢ ssllabs¤Ç¤âͭ̾¤ÊQualys¼Ò¤¬±¿±Ä¤·¤Æ¤¤¤ë¥µ¥¤¥È¤Ç¡¢ Web¥µ¥¤¥ÈÄ´ºº¤ÎAlexa¼Ò¤Ë¤è¤ë À¤³¦¤Î¥¢¥¯¥»¥¹¥È¥Ã¥×20Ëü¥µ¥¤¥È¤òÂоݤËSSL´Ø·¸¤ÎÅý·×¾ðÊó¤òËè·î¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£ 5·î¤Ë°ú¤­Â³¤­6·î¤ÎSSL Pulse¤Ç¤ÎSSL/TLS¤Î¾õ¶·¿ä°Ü¤ò¥°¥é¥Õ²½¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£ ËÜÅö¤Ï³Ö·î¤Ë¤·¤è¤¦¤È»×¤Ã¤Æ¤¿¤ó¤Ç¤¹¤¬¡¢Logjam¤Î±Æ¶Á¤¬¸«¤¿¤«¤Ã¤¿¤Î¤Çº£·î¤Ï¤ä¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£ (¥¦¥½¡¢º£·î¤Ï¤ä¤é¤Ê¤¯¤ÆÎɤ¤·î¤À¤Ã¤¿¤Î¤Ë˺¤ì¤Æ¤Æ¥°¥é¥Õ¤òºî¤Ã¤Æ¤·¤Þ¤Ã¤¿¤À¤±¤Ç¤¹orz )

    ÀȼåÀ­Âбþ¤Î¿ä°Ü


    201506vuln

    SSL/TLS¥×¥í¥È¥³¥ë¤Î¿ä°Ü


    201506proto
    POODLE¤Î±Æ¶Á¤ÇSSLv3¤Î̵¸ú²½¤¬½çÄ´¤Ë²¼¤¬¤Ã¤Æ¤ª¤ê¡¢¥µ¥Ý¡¼¥È¤¹¤ë¥µ¥¤¥È¤Ï37.6%¤Þ¤Ç¤Ë¸º¤ê¤Þ¤·¤¿¡£

    SSL¥µ¡¼¥Ð¡¼¾ÚÌÀ½ñ¤Î¸°Ä¹¡¢½ð̾¥¢¥ë¥´¥ê¥º¥à¤Î¿ä°Ü


    201506crt
    Google Chrome¤äWindowsÀ½ÉʤÎSHA1¾ÚÌÀ½ñ¤Î¥¢¥é¡¼¥ÈÂбþ¤ò¼õ¤±¤Æ¡¢SHA1¤ÈSHA2¾ÚÌÀ½ñ¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢½çÄ´¤ËSHA2°Ü¹Ô¤¬¿Ê¤ß¡¢SHA2¤¬60%¡¢SHA1¤¬40%¤Þ¤Ç¤­¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¿·¤·¤¤µ»½Ñ¤Î¥µ¥Ý¡¼¥È¤Î¿ä°Ü


    201506adv
    OCSP staplingÂбþΨ¤Ï¿­¤Ó¤«¤«¤Ã¤¿¤Î¤Ë¤Þ¤¿Ìá¤Ã¤Æ¤·¤Þ¤¤¤Þ¤·¤¿¡£

    ¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506kx
    ¸°¸ò´¹¤Î¾ðÊó¤¬3·î¤«¤é¼è¤ì¤ë¤è¤¦¤Ë¤Ê¤ê¡¢¤è¤¦¤ä¤¯·¹¸þ¤¬¤Ä¤«¤á¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤­¤Æ¤¤¤Þ¤¹¡£

    DH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506dh
    ¼å¤¤Í¢½Ð¥°¥ì¡¼¥É¤ÎDH(E)¸°¤Î¥À¥¦¥ó¥°¥ì¡¼¥É¤Ë¤è¤ëLogjamÀȼåÀ­¤¬5·î¤Ë¸øɽ¤µ¤ì¤¿¤³¤È¤Ç¡¢Á´ÂÎŪ¤ËDH¸°¸ò´¹¤Î¸°Ä¹¤¬Áý¤¨¤Æ¤¤¤Þ¤¹¤¬¡¢¤È¤Ï¸À¤Ã¤Æ¤â2¡¢3%¤ÎÊѲ½¤·¤«¤Ê¤¯¡¢ ¤ä¤Ï¤êDH¸°¸ò´¹¤Î¸°Ä¹¤òÁý¤ä¤¹¤è¤¦ÀßÄꤹ¤ë¤è¤ê¤â¡¢DH¸°¸ò´¹¤Ï»È¤ï¤º¡¢ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¦¤Î¤¬Îɤ¤¤è¤¦¤Ë»×¤¤¤Þ¤¹¡£

    LogjamÀȼåÀ­¤Îȯ¸«¼Ô¤Î°ì¿Í¤Ç¤¢¤ëMatthew GreenÀèÀ¸¤Î¥Ö¥í¥°¤Ë¤è¤ë¤È¡¢¤³¤Î¹¶·â¤òÀ®¸ù¤µ¤»¤ë¤Ë¤ÏÃæ´Ö¼Ô¤¬¥Ï¥ó¥É¥·¥§¥¤¥¯Ãæ¤Î½½Ê¬Ã»¤¤»þ´Ö¤ÇDH¸°¤Î²òÆɤò¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤½¤¦¤Ç¤¹¤¬¡¢¤¢¤ë¸°¥Ñ¥é¥á¡¼¥¿¡¼¤Ë¤Ä¤¤¤Æ»öÁ°·×»»¤ò¤·¤Æ¤ª¤±¤Ð¤³¤ì¤Ï²Äǽ¤Ç¤¢¤ê¡¢512bit¤Ê¤é°ìÈÌŪ¤Ê´Ä¶­¤Ç¤â¿ô½½ÉäDzò¤¯¤³¤È¤Ï²Äǽ¤Ç¤¢¤ê¡¢1024bit¤Î¾ì¹ç¡¢°ìÈÌŪ¤Ê´Ä¶­¤Ç¤Ï̵Íý¤«¤â¤·¤ì¤Ê¤¤¤¬NSA¤Î¤è¤¦¤ÊĵÊ󵡴ؤǤ¢¤ì¤Ð¡¢¤½¤Îͽ»»¤ÈÈæ³Ó¤·¤ÆÁ´¤¯ÉÔ²Äǽ¤È¤¤¤¦ÃͤǤâ¤Ê¤¤¤È¤¤¤¦¤³¤È¤Ç¤¹¡£Éݤ¤¤Ç¤¹¤Í¡Á¡Á¡Á¡£

    ECDH¸°¸ò´¹¤ÎºÇÄ㸰Ĺ


    201506ecdh
    ECDH·Ï¤Î¸°¸ò´¹¤ò»È¤¨¤ë¥µ¥¤¥È¤È¡¢»È¤¨¤Ê¤¤¥µ¥¤¥È¤ÎÈæΨ¤¬5·î¤ËµÕž¤·¤Þ¤·¤¿¤¬¡¢ECC 256bit¤ÎÍøÍѤ¬½çÄ´¤Ë¿Ê¤ó¤Ç¤¤¤Æ¤¤¤ë¤³¤È¤¬¤ï¤«¤ê¤Þ¤¹¡£

    ¤ª¤ï¤ê¤Ë

    Íè½µ·îÍˤÏJNSA¤ÎÊÙ¶¯²ñ¤Ê¤Î¤Ç¡¢Á᤯»ñÎÁºî¤é¤ó¤È¤¤¤«¤ó¤Ê¤¡¡£¤·¤«¤·¡¢¤ª¤®¤ã¡Á¤µ¤ó¤Ï¡¢¤â¤Î¤¹¤´¤¤½¸µÒÎϤÀ¤Ê¤¡¡£

    ´ØÏ¢µ­»ö

    ºÇ¿·µ­»ö
    Categories
    Archives
    Twitter
    µ­»öGoogle¸¡º÷

    ËÜ¥Ö¥í¥°Æâ¤òGoogle¸¡º÷
    Yahoo!¥¢¥¯¥»¥¹²òÀÏ
    Travel Advisor
    µ­»ö¸¡º÷
    QR¥³¡¼¥É
    QR¥³¡¼¥É
    • ¥é¥¤¥Ö¥É¥¢¥Ö¥í¥°