身份识别
官方文档Identity
What is an Identity?(什么是身份识别)
The different actors in a blockchain network include peers, orderers, client applications, administrators and more. Each of these actors — active elements inside or outside a network able to consume services — has a digital identity encapsulated in an X.509 digital certificate. These identities really matter because they determine the exact permissions over resources and access to information that actors have in a blockchain network.
区块链网络中包含不同的成员,包括peers、orderers、client applications、administrators等。这些参与者(网络内部或外部能够使用服务的活动元素)中的每一个都有封装在X.509数字证书中的数字身份。这些身份确实很重要,因为它们确定了对资源的确切权限以及对参与者在区块链网络中拥有的访问信息的权限。
A digital identity furthermore has some additional attributes that Fabric uses to determine permissions, and it gives the union of an identity and the associated attributes a special name — principal. Principals are just like userIDs or groupIDs, but a little more flexible because they can include a wide range of properties of an actor’s identity, such as the actor’s organization, organizational unit, role or even the actor’s specific identity. When we talk about principals, they are the properties which determine their permissions.
此外,数字身份还具有Fabric用来确定权限的其他一些属性,它为身份和相关属性的并集提供了一个特殊名称-主体。主体就像是userIDs或groupIDs,但更加灵活,因为它们可以包含成员身份的各种属性,例如成员的组织,组织单位,角色,甚至成员的特定身份。当我们谈论主体时,它们是确定其权限的属性。
For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is that trusted authority in Fabric. More specifically, an MSP is a component that defines the rules that govern the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more on PKI later).
为了使身份可验证,它必须来自受信任的权威。 membership service provider (MSP)就是一个在Fabric中的受信任的权威。更具体地说,MSP是定义用于管理该组织角色的有效身份的组件。。 Fabric中的默认MSP实现是使用X.509证书作为身份,并采用传统的公共密钥基础结构(PKI)层次模型(稍后将在PKI上进行介绍)。
A Simple Scenario to Explain the Use of an Identity(通过一个简单的方案来解释身份识别的用法)
Imagine that you visit a supermarket to buy some groceries. At the checkout you see a sign that says that only Visa, Mastercard and AMEX cards are accepted. If you try to pay with a different card — let’s call it an “ImagineCard” — it doesn’t matter whether the card is authentic and you have sufficient funds in your account. It will be not be accepted.
想象一下你去一个超级市场去买一些杂货。在结账时你看到一个标志说只支持Visa、Mastercard和AMEX银行卡。如果你尝试使用其他银行卡-让我们叫它“想象的卡片”-银行卡是否真实和帐户中是否有足够的资金都没关系。它将不被接受。
Having a valid credit card is not enough — it must also be accepted by the store! PKIs and MSPs work together in the same way — a PKI provides a list of identities, and an MSP says which of these are members of a given organization that participates in the network.
拥有一个合法的信用卡还不够,他还必须被商店接受!PKIs和MSPs以相同的方式一起工作-PKI提供了身份识别的列表,MSP指出其中的哪些是参与该网络的给定组织的成员。
PKI certificate authorities and MSPs provide a similar combination of functionalities. A PKI is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, is like the list of card providers accepted by the store, determining which identities are the trusted members (actors) of the store payment network. MSPs turn verifiable identities into the members of a blockchain network.
PKI证书颁发机构和MSP提供了类似的功能组合。PKI就像银行卡发卡组织一样,它分配许多不同类型的可验证身份。另一方面,MSP就像商店接受的发卡组织列表一样,确定哪些身份是商店支付网络的受信任成员(参与者)。MSP将可验证身份转换为区块链网络的成员。
Let’s drill into these concepts in a little more detail.
让我们更详细地研究这些概念。
What are PKIs?(什么是PKIs?)
A public key infrastructure (PKI) is a collection of internet technologies that provides secure communications in a network. It’s PKI that puts the S in HTTPS — and if you’re reading this documentation on a web browser, you’re probably using a PKI to make sure it comes from a verified source.
公钥基础结构(PKI)是网络技术的集合,这些技术在网络中提供安全的通信。是PKI将S置于HTTPS中-如果您正在网络浏览器上阅读此文档,您可能正在使用PKI来确保它来自经过验证的来源。
The elements of Public Key Infrastructure (PKI). A PKI is comprised of Certificate Authorities who issue digital certificates to parties (e.g., users of a service, service provider), who then use them to authenticate themselves in the messages they exchange in their environment. A CA’s Certificate Revocation List (CRL) constitutes a reference for the certificates that are no longer valid. Revocation of a certificate can happen for a number of reasons. For example, a certificate may be revoked because the cryptographic private material associated to the certificate has been exposed.
公钥基础结构(PKI)的元素。PKI由证书颁发机构组成,证书颁发机构向各方颁发数字证书,然后他们使用它们在环境中交换的消息中对自己进行身份验证。CA的证书吊销列表(CRL)构成了不再有效的证书的参考。吊销证书的原因有很多。例如,由于与证书关联的加密私有材料已被暴露,因此证书可能被吊销。
Although a blockchain network is more than a communications network, it relies on the PKI standard to ensure secure communication between various network participants, and to ensure that messages posted on the blockchain are properly authenticated. It’s therefore important to understand the basics of PKI and then why MSPs are so important.
尽管区块链网络不仅仅是通信网络,但它依赖于PKI标准来确保各种网络参与者之间的安全通信,并确保正确验证发布在区块链上的消息。因此,重要的是要了解PKI的基础知识,然后理解MSP为何如此重要。
There are four key elements to PKI,PKI有四个关键元素:
- Digital Certificates(数字证书)
- Public and Private Keys(公私钥对)
- Certificate Authorities(证书颁发机构)
- Certificate Revocation Lists(证书吊销列表)
Let’s quickly describe these PKI basics, and if you want to know more details, Wikipedia is a good place to start.
让我们快速介绍一下这些PKI基础知识,如果您想了解更多详细信息,那么Public_key_infrastructure是一个不错的起点。
Digital Certificates(数字证书)
A digital certificate is a document which holds a set of attributes relating to the holder of the certificate. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure.
数字证书是一种文档,其中包含与证书持有者有关的一组属性。最常见的证书类型是符合X.509标准的证书,该证书允许在其结构中对参与方的标识详细信息进行编码。
For example, Mary Morris in the Manufacturing Division of Mitchell Cars in Detroit, Michigan might have a digital certificate with a SUBJECT attribute of C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456. Mary’s certificate is similar to her government identity card — it provides information about Mary which she can use to prove key facts about her. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now.
例如,底特律Mitchell汽车制造部门的Mary Morris,密歇根州可能有一个数字证书,其SUBJECT属性为C = US,ST = Michigan,L = Detroit,O = Mitchell Cars,OU = Manufacturing,CN = Mary Morris / UID = 123456。Mary的证书类似于她的政府身份证,它提供了有关玛丽的信息,她可以用来证明有关她的关键事实。X.509证书中还有许多其他属性,但现在让我们仅关注这些属性。
A digital certificate describing a party called Mary Morris. Mary is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about Mary. The certificate also holds many more pieces of information, as you can see. Most importantly, Mary’s public key is distributed within her certificate, whereas her private signing key is not. This signing key must be kept private.
数字证书描述了一个叫做Mary Morris的当事人,Mary是证书的SUBJECT ,突出显示的SUBJECT 文本显示了有关Mary的关键事实。如您所见,该证书还包含更多信息。最重要的是,Mary的公钥在证书中描述,但是私钥没有在证书中。签名用的私钥必须保密。
What is important is that all of Mary’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows Mary to present her certificate to others to prove her identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about Mary has not been tampered with — it will always have those particular attributes for Mary Morris. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change.
重要的是,可以使用称为加密的数学技术来记录Mary的所有属性,以免篡改证书。只要对方信任证书颁发者(Certificate Authority (CA)),密码学就可以允许Mary向他人出示她的证书以证明自己的身份。只要CA安全地保存某些加密信息(即其自己的专用签名密钥),任何阅读证书的人都可以确保有关Mary的信息未被篡改-它始终具有Mary Morris的那些特定属性。将Mary的X.509证书视为无法更改的数字身份证。
Authentication, Public keys, and Private Keys(认证方式,公钥和私钥)
Authentication and message integrity are important concepts in secure communications. Authentication requires that parties who exchange messages are assured of the identity that created a specific message. For a message to have “integrity” means that cannot have been modified during its transmission. For example, you might want to be sure you’re communicating with the real Mary Morris rather than an impersonator. Or if Mary has sent you a message, you might want to be sure that it hasn’t been tampered with by anyone else during transmission.
身份验证和消息完整性是安全通信中的重要概念。身份验证要求交换消息的各方确保创建了特定消息的身份。消息具有“完整性”意味着不能在其传输过程中对其进行修改。例如,您可能要确保与真实的玛丽·莫里斯(Mary Morris)而非模仿者进行交流。或者如果Mary已经给你发送了一个消息,你可能想要确保在传输过程中没有被其他任何人篡改过该消息。
Traditional authentication mechanisms rely on digital signatures that, as the name suggests, allow a party to digitally sign its messages. Digital signatures also provide guarantees on the integrity of the signed message.
Technically speaking, digital signature mechanisms require each party to hold two cryptographically connected keys: a public key that is made widely available and acts as authentication anchor, and a private key that is used to produce digital signatures on messages. Recipients of digitally signed messages can verify the origin and integrity of a received message by checking that the attached signature is valid under the public key of the expected sender.
The unique relationship between a private key and the respective public key is the cryptographic magic that makes secure communications possible. The unique mathematical relationship between the keys is such that the private key can be used to produce a signature on a message that only the corresponding public key can match, and only on the same message.
In the example above, Mary uses her private key to sign the message. The signature can be verified by anyone who sees the signed message using her public key.
Certificate Authorities(证书颁发机构)
As you’ve seen, an actor or a node is able to participate in the blockchain network, via the means of a digital identity issued for it by an authority trusted by the system. In the most common case, digital identities (or simply identities) have the form of cryptographically validated digital certificates that comply with X.509 standard and are issued by a Certificate Authority (CA).
CAs are a common part of internet security protocols, and you’ve probably heard of some of the more popular ones: Symantec (originally Verisign), GeoTrust, DigiCert, GoDaddy, and Comodo, among others.
A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate.
Certificates can be widely disseminated, as they do not include either the actors’ nor the CA’s private keys. As such they can be used as anchor of trusts for authenticating messages coming from different actors.
CAs also have a certificate, which they make widely available. This allows the consumers of identities issued by a given CA to verify them by checking that the certificate could only have been generated by the holder of the corresponding private key (the CA).
In a blockchain setting, every actor who wishes to interact with the network needs an identity. In this setting, you might say that one or more CAs can be used to define the members of an organization’s from a digital perspective. It’s the CA that provides the basis for an organization’s actors to have a verifiable digital identity.
Root CAs, Intermediate CAs and Chains of Trust(根CA、中级CA和信任链)
CAs come in two flavors: Root CAs and Intermediate CAs. Because Root CAs (Symantec, Geotrust, etc) have to securely distribute hundreds of millions of certificates to internet users, it makes sense to spread this process out across what are called Intermediate CAs. These Intermediate CAs have their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA not only allows the function of CAs to scale while still providing security — allowing organizations that consume certificates to use Intermediate CAs with confidence — it limits the exposure of the Root CA, which, if compromised, would endanger the entire chain of trust. If an Intermediate CA is compromised, on the other hand, there will be a much smaller exposure.
A chain of trust is established between a Root CA and a set of Intermediate CAs as long as the issuing CA for the certificate of each of these Intermediate CAs is either the Root CA itself or has a chain of trust to the Root CA.
Intermediate CAs provide a huge amount of flexibility when it comes to the issuance of certificates across multiple organizations, and that’s very helpful in a permissioned blockchain system (like Fabric). For example, you’ll see that different organizations may use different Root CAs, or the same Root CA with different Intermediate CAs — it really does depend on the needs of the network.
Fabric CA
It’s because CAs are so important that Fabric provides a built-in CA component to allow you to create CAs in the blockchain networks you form. This component — known as Fabric CA is a private root CA provider capable of managing digital identities of Fabric participants that have the form of X.509 certificates. Because Fabric CA is a custom CA targeting the Root CA needs of Fabric, it is inherently not capable of providing SSL certificates for general/automatic use in browsers. However, because some CA must be used to manage identity (even in a test environment), Fabric CA can be used to provide and manage certificates. It is also possible — and fully appropriate — to use a public/commercial root or intermediate CA to provide identification.
因为CA非常重要,所以Fabric提供了内置的CA组件,可让您在形成的区块链网络中创建CA。该组件(称为Fabric CA)是私有的根CA提供者,能够管理具有X.509证书形式的Fabric参与者的数字身份。由于Fabric CA是针对Fabric的根CA需求的自定义CA,因此它固有地无法提供SSL证书供浏览器中的常规/自动使用。但是,由于必须使用某些CA来管理身份(即使在测试环境中也是如此),因此可以将Fabric CA用于提供和管理证书。使用公共/商业根或中间CA进行标识也是可能的,并且是完全合适的。
If you’re interested, you can read a lot more about Fabric CA in the CA documentation section.
如果你感兴趣,你可以 在the CA documentation section文档中阅读更多的关于 Fabric CA的内容。
Certificate Revocation Lists(证书吊销列表)
A Certificate Revocation List (CRL) is easy to understand — it’s just a list of references to certificates that a CA knows to be revoked for one reason or another. If you recall the store scenario, a CRL would be like a list of stolen credit cards.
When a third party wants to verify another party’s identity, it first checks the issuing CA’s CRL to make sure that the certificate has not been revoked. A verifier doesn’t have to check the CRL, but if they don’t they run the risk of accepting a compromised identity.
Using a CRL to check that a certificate is still valid. If an impersonator tries to pass a compromised digital certificate to a validating party, it can be first checked against the issuing CA’s CRL to make sure it’s not listed as no longer valid.
Note that a certificate being revoked is very different from a certificate expiring. Revoked certificates have not expired — they are, by every other measure, a fully valid certificate. For more in-depth information about CRLs, click here.
Now that you’ve seen how a PKI can provide verifiable identities through a chain of trust, the next step is to see how these identities can be used to represent the trusted members of a blockchain network. That’s where a Membership Service Provider (MSP) comes into play — it identifies the parties who are the members of a given organization in the blockchain network.
To learn more about membership, check out the conceptual documentation on MSPs.