CRL增量-过量发布综合模型研究

针对当前PKI应用规模的变化，提出了一种新模型：增量-过量发布综合模型。该模型采用将Delta-CRLs的Base CRL过量发布来实现。通过比较表明，该方式既可以减小信任方下载的CRL大小，改善了响应时间，减少时间碎片；又可以降低对Base CRL峰值请求率，从而降低对存储库的峰值带宽和平均负荷。文中同时指出，增量．过量发布综合模型优于传统模型和增量模型，但其发布性能依赖于PKI系统的证书有效期、证书吊销率、Delta CRL的颁发周期和时间跨度。Delta CRL的颁发周期越长，时间跨度越大，证书吊销率越高，证书有效期越短，过量发布Base CRL所带来的性能优化就越小。因此，增量-过量模型适合于在Delta CRL的颁发周期和时间跨度较短、证书吊销率不高、证书有效期较长的大型PKI系统中。

Research on the Delta and Over-Issued CRL Synthesis Model

According to the change of application scale of PKI system currently, an improved model: the Delta and over-issued CRL synthesis model is presented, it is realized by that Base CRL of Delta-CRLs is over-issued. Com- pared to other models, the improved model minimizes the size of CRL which can accelerate to response time and time piece, as well as the peak request rate for Base CRL, the peak bandwidth and average loads on CRL repositories. Si- multaneously it is presented in this paper that the improved model is better than traditional model and Delta-CRLs, but the issuance performance of the improved model depends on the rate of certificate revocation, period of certificate validity, time span and issue periods on Delta CRL. Rate of certificate revo-cation is more higher, time span and issue periods on Delta CRL is more longer and period of certificate validity is more shorter, the performance improvement by over-issued Base CRL is more less. So the improved model is fit for the large-scale PKIs whose rate of certificate revo-cation is not high, period of certificate validity is more longer, time span and issue periods on Delta CRL is more shorter.