In , a
public key infrastructure (PKI) is an arrangement that binds
with
respective user identities by means of a
(CA). The user identity must be unique for each CA. The binding is
established through the registration and issuance process, which, depending on
the level of assurance the binding has, may be carried out by software at a CA,
or under human supervision. The PKI role that assures this binding is called the
Registration Authority (RA) . For each user, the user identity, the
public key, their binding, validity conditions and other attributes are made
unforgeable in
issued by the CA.
# 注释 :所谓 PKI 就是一个通过 CA 绑定公钥和用户身份的系统。对于每个 CA
来说,用户身份信息必须是唯一的,整个绑定过程是从注册到确认(发放证书),
# 证书的发放可以是通过软件下载,也可以是人工送上门。PKI 角色中负责该角色的就是 RA
(注册中心)。
The term
(TTP) may also be used for
(CA). The term PKI is sometimes erroneously used to denote
which, however, do not require the use of a CA.
# 注释 :CA 有时也被成为
TTP(受信任第三方)。
# 注释 :一般来说,PKI 由客户端软件、服务器软件、硬件(例如 smart card)、法律合同和保证书、操作流程组成。
# 一个签名者的公钥证书可以被第3方用于验证一个消息的数字签名是否就是来自该签名者的私钥所加密而成的。
# 注释:每个 PKI
系统都和自己的目录方案紧密的联系在一起,每个客户的公钥一般存贮(嵌入到)LDAP 目录中
PKI software
When deploying a PKI, the most important part is an
appropriate CA software. There are several solutions on the
market:
- Microsoft:
and contain a CA software, which is integrated into the and doesn't require additional licence fees. This is currently the
most popular solution on the market.[]
- - A built-in CA, leveraging existing user directory
management systems (e.g. ,
and
). The solution
automatically generates digital certificates for users on the user directory,
eliminating the common overhead found with other traditional PKI solutions.
- : Linux supports and , which are two CA
solutions. It also supports .
- : Free software which generates and controls users' public
keys.
- : Offers the Novell Certificate Server, which is
integrated into the eDirectory. Alternatively, the eDirectory add-on product
cv act PKIntegrated (provided by a third party vendor at additional
costs) can be used.
- : Offers TrustedRoot" a PKI CA Rootstore chaining program
(Root Sign) which allows you to get immediate trust for your SSL, S/MIME and
code signing certificates by chaining your Microsoft CA or Inhouse CA Root
Certificate to the pre-trusted GlobalSign root certificate.
- : The product Entrust Authority is the most popular
among the not-for-free CA solutions.[] Entrust offers PKI software and a managed service options
mainly in the .gov space.
- : Offers a product calledTrustedCA.
- : Offers a product called CCA.
- : open source PKI Web GUI project.
- Certificate
System: Formerly the Netscape Certificate Server.
- ChosenSecurity: Offers a managed PKI for the enterprise using TC
TrustCenter technology.
- : Offers a managed PKI for the banking community.
阅读(524) | 评论(0) | 转发(0) |