Identity/身份
What is an Identity?/什么是身份?
The different actors in a blockchain network include peers, orderers, client applications, administrators and more. Each of these actors — active elements inside or outside a network able to consume services — has a digitial identity encapsulated in an X.509 digital certificate. These identities really matter because they determine the exact permissions over resources and access to information that actors have in a blockchain network.
区块链网络中的不同参与者包括peers,orderers,客户端应用程序,管理员等等。这些角色中的每一个 - 网络内部或外部的活动元素都能够使用服务 – 都具有封装在X.509数字证书中的数字身份。这些身份真的很重要,因为它们确定资源的确切权限以及参与者在区块链网络中访问信息的权限。
A digital identity furthermore has some additional attributes that Fabric uses to determine permissions, and it gives the union of an identity and the associated attributes a special name — principal. Principals are just like userIDs or groupIDs, but a little more flexible because they can include a wide range of properties of an actor’s identity, such as the actor’s organization, organizational unit, role or even the actor’s specific identity. When we talk about principals, they are the properties which determine their permissions.
此外,数字身份还具有Fabric用于确定权限的一些其他属性,并且它为身份和相关属性提供了一个特殊名称 – 主体。主体就像用户ID或组ID一样,但更灵活一点,因为他们可以包含参与者身份的各种属性,如参与者所在的组织,部门,角色甚至参与者的特定身份。当我们谈论主体时,他们是决定他们权限的属性。
For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is how this is achieved in Fabric. More specifically, an MSP is a component that defines the rules that govern the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more on PKI later).
对于可验证的身份,它必须来自可信的权威机构。会员服务提供商(MSP)是如何在Fabric中实现的。更具体地说,MSP是定义管理该组织的有效身份的规则的组件。 Fabric中的默认MSP实现使用X.509证书作为身份标识,采用传统的公共密钥基础设施(PKI)分层模型(稍后更多地介绍PKI)。
A Simple Scenario to Explain the Use of an Identity/一个解释身份使用的简单场景
Imagine that you visit a supermarket to buy some groceries. At the checkout you see a sign that says that only Visa, Mastercard and AMEX cards are accepted. If you try to pay with a different card — let’s call it an “ImagineCard” — it doesn’t matter whether the card is authentic and you have sufficient funds in your account. It will be not be accepted.
想象一下你去超市买些杂货。 在结帐时,您会看到一个标志,表示只接受Visa,Mastercard和AMEX卡。 如果您尝试使用不同的卡支付 - 我们称之为“ImagineCard” - 卡片是否真实并且您的帐户中有足够的资金无关紧要。 它将不被接受。
Having a valid credit card is not enough — it must also be accepted by the store! PKIs and MSPs work together in the same way — a PKI provides a list of identities, and an MSP says which of these are members of a given organization that participates in the network.
拥有有效的信用卡是不够的 - 它也必须被商店接受! PKI和MSP以相同的方式一起工作 - PKI提供身份列表,MSP说明哪些是参与网络的特定组织的成员。
PKI certificate authorities and MSPs provide a similar combination of functionalities. A PKI is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, is like the list of card providers accepted by the store, determining which identities are the trusted members (actors) of the store payment network. MSPs turn verifiable identities into the members of a blockchain network.
Let’s drill into these concepts in a little more detail.
PKI证书颁发机构和MSP提供了类似的功能组合。 PKI就像一个卡片提供者 - 它分配许多不同类型的可验证身份。 另一方面,MSP类似于商店接受的卡提供商列表,确定哪些身份是商店支付网络的可信成员(演员)。 MSP将可验证身份转变为区块链网络的成员。
我们来深入探讨这些概念。
What are PKIs?/什么是PKIs?
A public key infrastructure (PKI) is a collection of internet technologies that provides secure communications in a network. It’s PKI that puts the S in HTTPS — and if you’re reading this documentation on a web browser, you’re probably using a PKI to make sure it comes from a verified source.
公钥基础设施(PKI)是一组提供网络安全通信的互联网技术。 这是将S置于HTTPS中的PKI - 如果您在Web浏览器上阅读本文档,则你可能正在使用PKI来确保它来自与一个经过验证的源。
The elements of Public Key Infrastructure (PKI). A PKI is comprised of Certificate Authorities who issue digital certificates to parties (e.g., users of a service, service provider), who then use them to authenticate themselves in the messages they exchange with their environment. A CA’s Certificate Revocation List (CRL) constitutes a reference for the certificates that are no longer valid. Revocation of a certificate can happen for a number of reasons. For example, a certificate may be revoked because the cryptographic private material associated to the certificate has been exposed.
公钥基础设施(PKI)的要素。 PKI由证书颁发机构组成,证书颁发机构向各方(例如,服务的用户,服务提供商)颁发数字证书,各方然后使用这些证书在他们与其环境交换的消息中对自己进行身份证明。 CA的证书吊销列表(CRL)包含对不在有效的证书的引用。取消证书可能会有多种原因。例如,证书可能会被撤销,因为与证书关联的密私钥已经暴露。
Although a blockchain network is more than a communications network, it relies on the PKI standard to ensure secure communication between various network participants, and to ensure that messages posted on the blockchain are properly authenticated. It’s therefore important to understand the basics of PKI and then why MSPs are so important.
尽管区块链网络不仅仅是一个通信网络,它依赖于PKI标准来确保各个网络参与者之间的安全通信,并确保发布在区块链上的消息得到适当的验证。因此了解PKI的基础知识以及为什么MSP如此重要非常重要。
There are four key elements to PKI:
-
Digital Certificates
-
Public and Private Keys
-
Certificate Authorities
-
Certificate Revocation Lists
Let’s quickly describe these PKI basics, and if you want to know more details, Wikipedia is a good place to start.
PKI有四个关键要素:
数字证书
公钥和私钥
证书颁发机构
证书吊销列表
让我们快速描述这些PKI基础知识,如果您想了解更多细节,维基百科是一个很好的开始。
Digital Certificates/数字证书
A digital certificate is a document which holds a set of attributes relating to the holder of the certificate. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure.
For example, Mary Morris in the Manufacturing Division of Mitchell Cars in Detroit, Michigan might have a digital certificate with a SUBJECT attribute of C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456. Mary’s certificate is similar to her government identity card — it provides information about Mary which she can use to prove key facts about her. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now.
数字证书是具有与证书持有者有关的一组属性的文件。 最常见的证书类型是符合X.509标准的证书,它允许在其结构中编码当事人一方的识别细节。
例如,密歇根州底特律米切尔汽车制造部门的玛丽莫里斯可能拥有一个主题属性为C = US,ST =密歇根州,L =底特律,O =米切尔汽车,OU =制造业,CN = Mary的数字证书 Morris / UID = 123456。 玛丽的证书与她的政府身份证相似 - 它提供有关玛丽的信息,她可以用它来证明关于她的重要事实。 X.509证书还有许多其他属性,但我们现在只关注这些。
A digital certificate describing a party called Mary Morris. Mary is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about Mary. The certificate also holds many more pieces of information, as you can see. Most importantly, Mary’s public key is distributed within her certificate, whereas her private signing key is not. This signing key must be kept private.
一个数字证书描述一个叫玛丽莫里斯的当事人。玛丽是证书的主体,突出显示的主题文本显示了关于玛丽的关键事实。如您所见,证书还包含更多信息。最重要的是,玛丽的公开密钥分布在她的证书中,而她的私人签名密钥则不是。这个签名密钥必须保密。
What is important is that all of Mary’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows Mary to present her certificate to others to prove her identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about Mary has not been tampered with — it will always have those particular attributes for Mary Morris. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change.
重要的是,玛丽的所有属性都可以使用称为密码术的数学技术(字面意义上的“秘密写作”)进行记录,以至于篡改这些属性信息将使证书无效。只要对方信任证书颁发者(称为证书颁发机构(CA)),密码学允许玛丽向其他人提供证书以证明其身份。只要CA保证某些密码信息安全(意思是它自己的私人签名密钥),读取证书的任何人都可以确信有关Mary的信息没有被篡改 - 它将始终具有Mary Morris的这些特定属性。将Mary的X.509证书视为无法更改的数字身份证。
Authentication, Public keys, and Private Keys/身份验证,公钥和私钥
Authentication and message integrity are important concepts in secure communications. Authentication requires that parties who exchange messages are assured of the identity that created a specific message. For a message to have “integrity” means that cannot have been modified during its transmission. For example, you might want to be sure you’re communicating with the real Mary Morris rather than an impersonator. Or if Mary has sent you a message, you might want to be sure that it hasn’t been tampered with by anyone else during transmission.
身份验证和消息完整性是安全通信中的重要概念。身份验证要求交换消息的各方确定创建特定消息的身份。对于具有“完整性”的消息来说,意味着它在传输过程中不能被修改。例如,你可能想要确保你正在与真正的玛丽莫里斯沟通,而不是模仿者。或者,如果玛丽给你发了一条消息,你可能想要确定它在传输过程中没有被其他人篡改过。
Traditional authentication mechanisms rely on digital signatures that, as the name suggests, allow a party to digitally sign its messages. Digital signatures also provide guarantees on the integrity of the signed message.
传统的认证机制依赖于数字签名,顾名思义,它允许一方对其消息进行数字签名。数字签名还保证签名消息的完整性。
Technically speaking, digital signature mechanisms require each party to hold two cryptographically connected keys: a public key that is made widely available and acts as authentication anchor, and a private key that is used to produce digital signatures on messages. Recipients of digitally signed messages can verify the origin and integrity of a received message by checking that the attached signature is valid under the public key of the expected sender.
从技术上讲,数字签名机制要求每一方都拥有两个密码连接的密钥:一个广泛使用的公钥,作为身份验证锚和一个用于生成消息数字签名的私钥。数字签名消息的收件人可以通过检查附加签名在预期发件人的公共密钥下是否有效来验证收到消息的来源和完整性。
The unique relationship between a private key and the respective public key is the cryptographic magic that makes secure communications possible. The unique mathematical relationship between the keys is such that the private key can be used to produce a signature on a message that only the corresponding public key can match, and only on the same message.
私钥和相应公钥之间的唯一关系是使安全通信成为可能的加密魔术。密钥之间唯一的数学关系是这样的,即私钥可用于在消息上产生只有相应的公钥才能匹配的签名,并且仅在相同的消息上。
In the example above, Mary uses her private key to sign the message. The signature can be verified by anyone who sees the signed message using her public key.
在上面的例子中,Mary使用她的私钥对消息进行签名。 任何使用她的公共密钥查看签名消息的人都可以验证签名。
Certificate Authorities/证书颁发机构
As you’ve seen, an actor or a node is able to participate in the blockchain network, via the means of a digital identity issued for it by an authority trusted by the system. In the most common case, digital identities (or simply identities) have the form of cryptographically validated digital certificates that comply with X.509 standard and are issued by a Certificate Authority (CA).
正如您所见,通过由系统信任的权威机构为其发布的数字身份,参与者或一个节点可以参与区块链网络。 在最常见的情况下,数字身份(或简称身份)具有符合X.509标准且由证书颁发机构(CA)颁发的经过密码学验证的数字证书的形式。
CAs are a common part of internet security protocols, and you’ve probably heard of some of the more popular ones: Symantec (originally Verisign), GeoTrust, DigiCert, GoDaddy, and Comodo, among others.
CA是互联网安全协议的常见组成部分,您可能听说过一些比较流行的:赛门铁克(最初是Verisign),GeoTrust,DigiCert,GoDaddy和Comodo等等。
A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate.
证书颁发机构向不同参与者分发证书。这些证书由CA进行数字签名,并将该参与者与参与者的公钥(以及可选的全面的属性列表)绑定在一起。因此,如果信任CA(并且知道其公钥),它可以通过验证CA在参与者证书上的签名进而相信特定的参与者,该参与者与绑定在证书中的公钥相关联,并拥有包含的属性。
Certificates can be widely disseminated, as they do not include either the actors’ nor the CA’s private keys. As such they can be used as anchor of trusts for authenticating messages coming from different actors.
证书可以广泛传播,因为它们不包括参与者或者CA的私钥。因此,它们可以用作认证来自不同参与者的消息的信任的锚点。
CAs also have a certificate, which they make widely available. This allows the consumers of identities issued by a given CA to verify them by checking that the certificate could only have been generated by the holder of the corresponding private key (the CA).
CA也有一个证书,他们可以由多管道(channel)获取。这允许由给定CA颁发的身份的用户通过检查证书只能是由相应私钥的持有者(CA)生成的来验证它们。
In a blockchain setting, every actor who wishes to interact with the network needs an identity. In this setting, you might say that one or more CAs can be used to define the members of an organization’s from a digital perspective. It’s the CA that provides the basis for an organization’s actors to have a verifiable digital identity.
在区块链设置中,每个想要与网络互动的参与者都需要一个身份。在这种情况下,您可能会说从数字角度上,可以使用一个或多个CA来定义组织的成员。这是CA为机构的参与者提供可验证数字身份的基础。
Root CAs, Intermediate CAs and Chains of Trust/根CA,中间CA和信任链
CAs come in two flavors: Root CAs and Intermediate CAs. Because Root CAs (Symantec, Geotrust, etc) have to securely distribute hundreds of millions of certificates to internet users, it makes sense to spread this process out across what are called Intermediate CAs. These Intermediate CAs have their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA not only allows the function of CAs to scale while still providing security — allowing organizations that consume certificates to use Intermediate CAs with confidence — it limits the exposure of the Root CA, which, if compromised, would endanger the entire chain of trust. If an Intermediate CA is compromised, on the other hand, there will be a much smaller exposure.
CA有两种类型:根CA和中级CA。 由于根CA(赛门铁克,Geotrust等)必须将数以亿计的证书安全地分发给互联网用户,因此将此过程分散到所谓的中间CA中是有道理的。 这些中级CA具有由根CA或另一中间机构颁发的证书,从而允许为链中任何CA颁发的任何证书建立“信任链”。 这种追溯到根CA的功能不仅可以使CA的功能得到扩展,同时还能提供安全性 - 允许使用证书的组织放心地使用中间CA--它限制了根CA的暴露程度,如果受到影响,它会影响 危及整个信任链。 另一方面,如果中级CA受到损害,则会有小得多的风险。
A chain of trust is established between a Root CA and a set of Intermediate CAs as long as the issuing CA for the certificate of each of these Intermediate CAs is either the Root CA itself or has a chain of trust to the Root CA.
Intermediate CAs provide a huge amount of flexibility when it comes to the issuance of certificates across multiple organizations, and that’s very helpful in a permissioned blockchain system (like Fabric). For example, you’ll see that different organizations may use different Root CAs, or the same Root CA with different Intermediate CAs — it really does depend on the needs of the network.
只要每个中间CA的证书的颁发CA都是根CA本身或者对根CA具有信任链,就在根CA与一组中间CA之间建立信任链。
中介CA在跨多个组织颁发证书时提供了巨大的灵活性,这对于经过许可的区块链系统(如Fabric)非常有用。 例如,您会看到不同的组织可能使用不同的根CA或具有不同中间CA的相同的根CA--它确实取决于网络的需求。
Fabric CA
It’s because CAs are so important that Fabric provides a built-in CA component to allow you to create CAs in the blockchain networks you form. This component — known as Fabric CA is a private root CA provider capable of managing digital identities of Fabric participants that have the form of X.509 certificates. Because Fabric CA is a custom CA targeting the Root CA needs of Fabric, it is inherently not capable of providing SSL certificates for general/automatic use in browsers. However, because some CA must be used to manage identity (even in a test environment), Fabric CA can be used to provide and manage certificates. It is also possible — and fully appropriate — to use a public/commerical root or intermediate CA to provide identification.
If you’re interested, you can read a lot more about Fabric CA in the CA documentation section.
这是因为CA非常重要,Fabric提供了一个内置的CA组件,允许您在您形成的区块链网络中创建CA.这个组件称为Fabric CA,它是一个私有根CA提供者,能够管理具有X.509证书形式的Fabric参与者的数字身份。由于Fabric CA是定制CA,针对Fabric的根CA需求,因此它本身无法提供用于浏览器中的一般/自动使用的SSL证书。但是,由于必须使用某些CA来管理身份(即使在测试环境中),Fabric CA也可用于提供和管理证书。使用公共/商业根或中间CA来提供标识也是可能的 - 也是完全合适的。
如果您有兴趣,可以在CA文档部分阅读关于Fabric CA的更多信息。
Certificate Revocation Lists/证书吊销列表
A Certificate Revocation List (CRL) is easy to understand — it’s just a list of references to certificates that a CA knows to be revoked for one reason or another. If you recall the store scenario, a CRL would be like a list of stolen credit cards.
When a third party wants to verify another party’s identity, it first checks the issuing CA’s CRL to make sure that the certificate has not been revoked. A verifier doesn’t have to check the CRL, but if they don’t they run the risk of accepting a compromised identity.
证书吊销列表(CRL)很容易理解 - 它只是一个证书的引用列表,CA知道证书由于某种原因被吊销。如果您回想起商店场景,CRL就像一张被盗的信用卡列表。
当第三方想验证另一方的身份时,它首先检查颁发CA的CRL,以确保证书没有被撤销。验证者不需要检查CRL,但是如果他们不这样做,他们就会冒着接受被盗用身份的风险。
Using a CRL to check that a certificate is still valid. If an impersonator tries to pass a compromised digital certificate to a validating party, it can be first checked against the issuing CA’s CRL to make sure it’s not listed as no longer valid.
Note that a certificate being revoked is very different from a certificate expiring. Revoked certificates have not expired — they are, by every other measure, a fully valid certificate. For more in-depth information about CRLs, click here.
Now that you’ve seen how a PKI can provide verifiable identities through a chain of trust, the next step is to see how these identities can be used to represent the trusted members of a blockchain network. That’s where a Membership Service Provider (MSP) comes into play — it identifies the parties who are the members of a given organization in the blockchain network.
To learn more about membership, check out the conceptual documentation on MSPs.
使用CRL检查证书是否仍然有效。 如果模仿者试图将受损数字证书传递给验证方,可以首先检查颁发CA的CRL,以确保其未被列为不再有效。
请注意,正在吊销的证书与证书过期非常不同。 已撤销的证书尚未过期 - 它们通过其他任何措施都是完全有效的证书。 有关CRL的更多深入信息,请单击此处。
现在您已经看到PKI如何通过信任链提供可验证的身份,下一步就是了解这些身份如何用于表示区块链网络的可信任成员。 这就是会员服务提供商(MSP)发挥作用的地方 - 它标识了区块链网络中给定组织成员的各方。
要了解更多关于成员身份的信息,请查看关于MSP的概念性文档。