【Hyperledger Fabric】数字认证证书(digital certificate)
Digital Certificates
数字认证证书
A digital certificate is a document which holds a set of attributes relating to a party. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure. For example, John Doe of Accounting division in FOO Corporation in Detroit, Michigan might have a digital certificate with a SUBJECTattribute ofC=US, ST=Michigan, L=Detroit, O=FOO Corporation, OU=Accounting, CN=John Doe /UID=123456. John’s certificate is similar to his government identity card – it provides information about John which he can use to prove key facts about him. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now.
数字认证证书是记录了一个群体(party)一系列属性的证件。最常见的数字认证证书是遵守X.509标准的证书。X.509标准允许将群体(party)的身份详细信息编码。例如,John Doe of Accounting division in FOO Corporation in Detroit, Michigan对应的数字认证证书是一个SUBJECT由(C=US, ST=Michigan, L=Detroit, O=FOO Corporation, OU=Accounting, CN=John Doe /UID=123456)的属性构成。John的证书跟他的*身份卡很相似,它们都提供了能证明John是他自己的关键事实。X.509标准下的数字认证证书还有许多其他的属性,现在我们先聚焦于这些:
A digital certificate describing a party called John Doe. John is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about John. The certificate also holds many more pieces of information, as you can see. Most importantly, John’s public key is distributed within his certificate, whereas his private signing key is not. This signing key must be kept private.
一个数字认证证书描绘了John Doe,John Doe是这个证书对应的subject,加粗的subject部分描述了John的关键事实。这个数字认证证书也包括 了许多其他的信息。John的公钥在他的数字认证证书中而私钥却不在里面。这个签名钥匙必须是私有的。
What is important is that all of John’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows John to present his certificate to others to prove his identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about John has not been tampered with – it will always have those particular attributes for John Doe. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change.
重要的是所有John的属性特征可以通过数学加密的方式记录,所以篡改信息会使证书无效。加密系统允许John呈递他的证书给其他人来证明他的身份,只要其它群体信任证书颁发者,通常是证书授权中心。只要证书授权中心安全确保了私有信息的安全,所有读了这个证书的可以确保关于John的信息没有被篡改。