摘要： PKI/PMI体系如果缺乏规范的时钟机制可能产生时钟不同步现象，因此，在可用性和安全性方面存在隐患。该文通过对在线证书状态协议(OCSP)及PMI认证特性的分析，提出一种基于OCSP中间件的时钟同步技术。应用该技术构建的身份认证与访问控制系统可以消除上述隐患，不会明显加重系统负担，或引入额外风险，适用于多数一般性的数字证书应用。

关键词: 权限管理基础设施, 时钟同步, 在线证书状态协议, 网络时间协议

Abstract: The lack of normative clock mechanism in PKI/PMI probably causes asynchronization, thus the infrastructures has hidden defects of usability and security. By analyzing the features of OCSP and PMI, this paper brings a clock synchronization technology based on OCSP middleware to solve the problem. An identity authentication and access control system with the technology can eliminate those defects above, and it neither overtasks the system markedly nor imports extra risk. It is applicable in most common digital certificate application.

Key words: Privilege Management Infrastructure(PMI), clock synchronization, Online Certificate Status Protocol(OSCP), Network Time Protocol (NTP)

中图分类号: 

• TP309