PKI 基础理论-5
2011-07-17 14:43
176 查看
The digital signature computed on the certificate fields, added by the CA when creating the certificate. By generating this signature, a CA certifies Chapter 2: Understanding PKI Building Blocks the validity and authenticity of the information in the fields. In particular, the CA certifies the binding between the public key material and the subject of the certificate. When receiving a certificate from a peer, one of the first steps is to verify the signature to ensure that the certificate has not been tampered with.
证书字段计算的数字签名,由CA创建证书时添加。生成这个签名,CA认证第2章:了解PKI构建模块领域的信息的有效性和真实性。特别是CA认证的公钥材料和凭证的主体之间具有约束力。当接收到的证书,从一个同行的首要步骤之一是验证签名,以确保该证书没有被篡改。
The Privacy Enhanced Mail (PEM) encoding is common for representing certificates in text format. It can be easily identified through the use of headers and trailers indicating the content (certificate, private key, and so on). Example 2-2 shows a certificate in PEM format.
PEM编码是一种常见的使用文本格式来描述证书
______________________________________________________________________________________
CA responsible for creating and distributing them.
For example, if someone is requesting a certificate with the name “Alice” in it, the certification authority is responsible for validating that it is actually Alice asking for it (and owning the corresponding keys) and not Bob. To document the involvement of the certification authority, the CA digital signature (generated with a private key) is added to the certificate as a proof. As the certification authority is also trusted by the other members of the PKI, verifying the CA signature on a certificate guarantees its authenticity and therefore the identity of its owner. The CA is the most important link in a PKI system. If the CA is ever compromised, the entire PKI implementation can no longer be trusted. Further sections show how the CA can be efficiently protected to minimize the risk.
当我们想requesting a certificate 的时候,CA会有纸质的方式记录备案,以及审查你的资格,确保我所发的证书的对象是真实,有效的。审查通过后,CA颁发电子证书并用自己的私钥进行签名,这个数字签名作为证书的一部分,用于证明证书的真实性和合法。另外证书内的要素包含了申请者得公钥和私钥,在电子运输过程中也要确保不能被篡改。在实体之间互相发送证书确认身份的时候,先要用CA的公钥解密,因为证书的数字签名是用CA的私钥加密的。解密之后的证书内容当然也就包含了申请人的信息和公钥和私钥。
——————————————————————————————————
Private Versus Public CAs
As you have seen, one of the main roles of the CA is to guarantee a trusted relationship.证书的主要角色之一就是确保信任关系
Depending on the targeted scope and scale of the PKI deployment, you can differentiate two types of CAs: private and public. 根据目标的PKI部署的范围和规模,可以区分两种类型的CAS:私有和公共的。
私有的CA一般就是在企业或者一些企业中的部门创建,操作,维护,他们只为公司或者部门内部提供服务。一个外部的公司不知道也不会信任这个CA。所以他能保证的信任关系也就只是在公司的内部和或者一些部门的内部。The main advantage of a private CA is that it offers you complete freedom in terms of structure.私有CA的主要优点是,它提供了您在结构方面的完全自由。(multiple levels of sub-CAs, for example) and content of certificates.自由度体现在多层and证书的内容方面,比如(Names and attributes can be chosen to accommodate the requirements.)名字和属性可以根据需要来自选择。主要限制就是信任关系有限the trust relationships are limited。比如阿里巴巴,中国建设银行、微软等等
public CA:reachable, and trusted on a more global basis (at the Internet level).更具有全球性的信任,可达的。也就是在整个互联网级别。一些core business来创建、操作、维护、管理。They are so widely used that the corresponding root certificates are installed by default in popular Internet web browsers.他们应用范围是非常的广泛,主流的浏览器都会默认安装他们的CA根证书。他们提供的服务就是从他们那去获得证书。当然他们要收钱。比如你登陆cisco的网站有https。那么cisco会向verisign(举例)申请一个实体证书,当然他们也会安装verisign的Root 证书。verisign会收费,基于license。客户端都安装了verisign的root证书,此时客户端和cisco 网站服务器的信任关系都是基于verisign。The content of the certificate (name format and attributes) is usually more constrained 当然证书的内容,比如名字和一些属性就不能自己定义了。现在一些国家也自己创建证书CA,比如中国。In some countries (Belgium, for example), each citizen now receives a personal certificate, usually stored on a personal identity card in the form of a smartcard.值一些国家,比如比利时,每个人都有一个自己的证书,这些个人证书存储在个人身份证里。
证书字段计算的数字签名,由CA创建证书时添加。生成这个签名,CA认证第2章:了解PKI构建模块领域的信息的有效性和真实性。特别是CA认证的公钥材料和凭证的主体之间具有约束力。当接收到的证书,从一个同行的首要步骤之一是验证签名,以确保该证书没有被篡改。
The Privacy Enhanced Mail (PEM) encoding is common for representing certificates in text format. It can be easily identified through the use of headers and trailers indicating the content (certificate, private key, and so on). Example 2-2 shows a certificate in PEM format.
PEM编码是一种常见的使用文本格式来描述证书
______________________________________________________________________________________
CA responsible for creating and distributing them.
For example, if someone is requesting a certificate with the name “Alice” in it, the certification authority is responsible for validating that it is actually Alice asking for it (and owning the corresponding keys) and not Bob. To document the involvement of the certification authority, the CA digital signature (generated with a private key) is added to the certificate as a proof. As the certification authority is also trusted by the other members of the PKI, verifying the CA signature on a certificate guarantees its authenticity and therefore the identity of its owner. The CA is the most important link in a PKI system. If the CA is ever compromised, the entire PKI implementation can no longer be trusted. Further sections show how the CA can be efficiently protected to minimize the risk.
当我们想requesting a certificate 的时候,CA会有纸质的方式记录备案,以及审查你的资格,确保我所发的证书的对象是真实,有效的。审查通过后,CA颁发电子证书并用自己的私钥进行签名,这个数字签名作为证书的一部分,用于证明证书的真实性和合法。另外证书内的要素包含了申请者得公钥和私钥,在电子运输过程中也要确保不能被篡改。在实体之间互相发送证书确认身份的时候,先要用CA的公钥解密,因为证书的数字签名是用CA的私钥加密的。解密之后的证书内容当然也就包含了申请人的信息和公钥和私钥。
——————————————————————————————————
Private Versus Public CAs
As you have seen, one of the main roles of the CA is to guarantee a trusted relationship.证书的主要角色之一就是确保信任关系
Depending on the targeted scope and scale of the PKI deployment, you can differentiate two types of CAs: private and public. 根据目标的PKI部署的范围和规模,可以区分两种类型的CAS:私有和公共的。
私有的CA一般就是在企业或者一些企业中的部门创建,操作,维护,他们只为公司或者部门内部提供服务。一个外部的公司不知道也不会信任这个CA。所以他能保证的信任关系也就只是在公司的内部和或者一些部门的内部。The main advantage of a private CA is that it offers you complete freedom in terms of structure.私有CA的主要优点是,它提供了您在结构方面的完全自由。(multiple levels of sub-CAs, for example) and content of certificates.自由度体现在多层and证书的内容方面,比如(Names and attributes can be chosen to accommodate the requirements.)名字和属性可以根据需要来自选择。主要限制就是信任关系有限the trust relationships are limited。比如阿里巴巴,中国建设银行、微软等等
public CA:reachable, and trusted on a more global basis (at the Internet level).更具有全球性的信任,可达的。也就是在整个互联网级别。一些core business来创建、操作、维护、管理。They are so widely used that the corresponding root certificates are installed by default in popular Internet web browsers.他们应用范围是非常的广泛,主流的浏览器都会默认安装他们的CA根证书。他们提供的服务就是从他们那去获得证书。当然他们要收钱。比如你登陆cisco的网站有https。那么cisco会向verisign(举例)申请一个实体证书,当然他们也会安装verisign的Root 证书。verisign会收费,基于license。客户端都安装了verisign的root证书,此时客户端和cisco 网站服务器的信任关系都是基于verisign。The content of the certificate (name format and attributes) is usually more constrained 当然证书的内容,比如名字和一些属性就不能自己定义了。现在一些国家也自己创建证书CA,比如中国。In some countries (Belgium, for example), each citizen now receives a personal certificate, usually stored on a personal identity card in the form of a smartcard.值一些国家,比如比利时,每个人都有一个自己的证书,这些个人证书存储在个人身份证里。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 