分类: LINUX
2014-08-18 13:38:00
原文地址:[Wiki] public key certificate 作者:ailms
Public key certificate
From Wikipedia, the free
encyclopedia
(Redirected from )
Jump to: ,
In , a public key certificate (or identity certificate) is an electronic document which incorporates a to bind together a with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
# 注释 :在密码学中,public key certificate (或者 identity certificate)是一个电子文档,配合数字签名,用于把一个公钥(public key)和一个身份(例如个人或者组织)
# 绑定起来。证书(Certificate)可以用于核实一个公钥
In a typical (PKI) scheme, the signature will be of a (CA). In a scheme, the signature is of either the user (a ) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.
Contents |
Principles
Certificates are useful for large-scale . Securely exchanging secret keys amongst users becomes
impractical to the point of effective impossibility for anything other than
quite small networks. Public key cryptography provides a way to avoid this
problem. In principle, if
wants others to be
able to send secret messages, she needs only to publish her public key. Anyone
possessing it can then send secure information to her. Unfortunately, David
could publish a different public key (for which he knows the related private
key) claiming that it is
# 注释 :假设 Alice 对外发布了它的 public key ,则任何拥有该 public key 的人可以向 Aliace 发送加密消息。
# 但如果有人发布了一个自己 Public key ,并声称是 Alice ,则可以借此冒充 Alice 和别人通信,以窃取原本不属于它的信息。
# 但如果 Alice 把自己的 public key “放入” 一个证书,并用可信任的第三方(CA)签名,则任何信任该第3方的人都可以通过该 CA
# 来确认拥有该证书的人就是 Alice ,这就是 CA 的作用
# 补充:再举一个例子,假设你获得了一张 RHCE 证书,在求职时你向招聘公司出示你的 RHCE 证书,那用人单位如何知道你的确就是一个 RHCE 呢?
# 它可以通过该证书上的序列号(签名)到 Redhat 的站点(证书库)上去查找,如果的确存在该序列号的证书,并且上面的信息和你的证书上的信息一样,
# 则认为你就是该 RHCE 。
In a web of trust,
In large-scale deployments, Alice may not be familiar with Bob's certificate authority (perhaps they each have a different CA — if both use employer CAs, different employers would produce this result), so Bob's certificate may also include his CA's public key signed by a "higher level" CA2, which might be recognized by Alice. This process leads in general to a hierarchy of certificates, and to even more complex relationships. Public key infrastructure refers, mostly, to the software that manages certificates in a large-scale setting. In PKI systems, the hierarchy of certificates is always a top-down tree, with a at the top, representing a CA that is so central to the scheme that it does not need to be authenticated by some trusted third party.
# 注释 :但如果两个用户 Bob 和 Alice 使用的 CA 不同,则需要看它们的 CA 的上级 CA (假设为 CA-higher),假设这个 CA-higher 对于双方的 CA
# 来说都是一样的,这个过程将一直向上,一直到根证书。在 X.509 中,证书的结构是一个从上到下的树型结构,顶点是一个根证书,它是一个不需要其他上级
# CA 来证明其权威性的证书
A certificate may be revoked if it is discovered that its related private key has been compromised, or if the relationship (between an entity and a public key) embedded in the certificate is discovered to be incorrect or has changed; this might occur, for example, if a person changes jobs or names. A revocation will likely be a rare occurrence, but the possibility means that when a certificate is trusted, the user should always check its validity. This can be done by comparing it against a (CRL) — a list of revoked or cancelled certificates. Ensuring that such a list is up-to-date and accurate is a core function in a centralized PKI, one which requires both staff and budget and one which is therefore sometimes not properly done. To be effective, it must be readily available to anyone who needs it whenever it is needed and must be updated frequently. Another way to check a certificate validity is to query the certificate authority using a protocol such as the (OCSP), in which a third party server parses the revocation list and returns an answer to the client.
# 注释 :要注意,证书是可以被废弃的,例如证书的持有人信息发生变化,或者密钥丢失。所以有一个称为 CRL(Certificate Revocation List,证书回收列表),
# 它包含了所有被废弃的证书,PKI 系统有一个重要的功能就是保证该列表的内容及时更新。这也允许通信双方中的一方检查该证书的有效性,以防止对方使用一个
# 过期的证书来欺骗。还有一种用于验证证书有效性的方法就是查询该证书的发行 CA ,通过 Online Certificate Status Protocol ,它可以通过一个第三方的服务器
# 检查 CRL 并返回答案
A certificate typically includes:
# 注释 :一个证书通常包括 :
# -)1、公钥
# -)2、持有人名称
# -)3、有效期
# -)4、CRL 列表的 URL
# -)5、由 CA 的密钥加密过的数字签名
The most common certificate standard is the . X.509 is being adapted to the Internet by the .
# 注释 :关于证书的最常用标准是 X.509
Classes
introduced the concept of classes of digital certificates:
# 注释 :VeriSign 公司引入了数字证书的分类概念 :
# -)1、class1 :个人,用于邮件
# -)2、class2 :组织,用于标明身份
# -)3、class3 :用于服务器和软件标识
# -)4、class4 :公司之间的在线商务交易
# -)5、class5 :政府或者保密组织
Certificates and Web Site
security
The most common use of certificates is for web sites, where a validates that an SSL (Transport Layer Security) is authentic, so that the user can feel secure that their interaction with the has no eavesdroppers and that the web site is "genuine" and not an impostor.
# 注释 ;数字证书最常见的使用领域就是在 web 领域,web 浏览器验证一个 SSL 站点的权威性,以让用户确信它们之间的通信是安全的,保密的。
This security is important for . In practice a web site operator obtains a certificate by applying to a certificate provider with a . The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate.
# 注释 :要获得证书,你必须向 CA 提出申请,该请求包括站点名称、联系人地址等信息。CA 会核对该申请并生成一个公共证书
This public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believed that the provider issued a certificate to the owner of the web site.
# 注释 :这个公共证书就是用于浏览器连接到 SSSL 站点时,告诉浏览器这个 CA 的确是向该站点发放了一个证书
Before issuing a certificate, the certificate provider will request from a public the contact email address for the web site name, and then check that against the email address supplied in the certificate request.
# 注释 :在发放证书前,CA 会通过域名注册机构找到该站点的联系邮件地址,并和申请中的比对,看是否一致
Therefore, an web site is only secure in as much as the user can be sure that the web site is operated by someone in contact with the person that registered the .
As an example, when a user uses their web browser to connect to , and if the browser gives no certificate warning message, then the user can be sure that interacting with is equivalent to interacting with the entity in contact with the email address listed in the public registrar under "example.com", even though that email address may not be displayed anywhere on the web site. No other surety of any kind is implied. Further, the relationship between the purchaser of the certificate, the operator of the web site, and the generator of the web site content may be tenuous and is not guaranteed. At best, the certificate guarantees uniqueness of the web site, provided that the web site itself has not been compromised (hacked) or the certificate issuing process subverted.
# 注释 :
Certificate providers
A 2005 survey determined that and its acquisitions such as have a 53% share of the certificate authority market, followed by GeoTrust (25%), (12%), (4%) and (2%). (GeoTrust has since been acquired by VeriSign.)
# 注释 :就目前来说,最多人注册的 CA 就是 VeriSign 和 Thawte ,然后是 GetoTrust
A more recent market share report from Security Space as of
April 2007 determined that and its
acquisitions (including GeoTrust) have a 59.6% share of the certificate
authority market, followed by (8.3%),
(5.3%),
(2.1%),
(1.3%) and
(1.1%).
is a
community-driven certificate authority that issues free public key
certificates.