What is the identity (What is an Identity?)
Block chain participants comprising different network peer node, the Sort node, the client application, administrator or the like. Each of these participants are - inside or outside the network can use the services of active elements - have a digital identity is encapsulated in X.509 digital certificate. The identity is really important, because they determine the exact permissions resources, and access permissions exact block chain network participant information.
In addition, the digital identity also has some additional attributes Fabric used to determine the rights, and it provides a special name for the collection of identity and associated attributes - the client (principal). Like userIDs principal or groupIDs, but more flexible, because they may contain various attributes of the identity of participants, such as participant organizations, departments, or even a special role as a participant. When we talk about clients, they decided to attribute its authority.
For verifiable identity, it must come from a trusted authority. Member Service Provider (MSP) is used to achieve the Fabric of. More specifically, MSP is the definition of a valid identity management component of the organization's rules. The default MSP Fabric is implemented using X.509 certificate as identity, traditional public key infrastructure (PKI) tiered model (PKI are described in detail later).
A simple scenario is used to explain the identity (A Simple Scenario to Explain the Use of an Identity)
Imagine you go to the supermarket to buy some groceries. At checkout, you will see a sign indicating only accept Visa, Mastercard and AMEX card. If you try to use other payment cards - we call it "ImagineCard" - regardless of whether the card is authentic and that your account has sufficient funds does not matter. It will not be accepted.
Have a valid credit card is not enough - it must also be accepted store! PKI MSP and work in the same way - PKI provides a list of identities, MSP determines which of these are members of particular organizations participating in the network.
PKI Certificate Authority and MSP provides a similar feature set. PKI is like a card provider - assign it a number of different types of verifiable identity. On the other hand, MSP similar to the list of providers to accept card shop to determine which is the identity of a trusted member of the store's payment network (participants). MSP will verify the identity of the members into a block chain network.
Let us more detail in-depth study of these concepts.
What is a Public Key Infrastructure (What are PKIs?)
Public Key Infrastructure (PKI) is a set of Internet technology to provide a secure communications network. The PKI S placed HTTPS - if you're reading this document on a Web browser, you may be using PKI to ensure that it comes from a proven source.
Elements of public key infrastructure (PKI) is. PKI digital certificate issued by a certificate to the parties (eg service users, service providers) issued by the institutions, the parties use their own CA authentication message exchange in their environment. CA's certificate revocation list (CRL) no longer constitutes a valid certificate of reference. Revoked certificates may be due to a variety of reasons. For example, the certificate may be because the certificate associated with the private encryption material has been exposed to be revoked.
Although the block chain network than just a communication network, but it relies on PKI standards to ensure secure communication between the various network participants, and to ensure that posted a message on the block chain properly certified. Therefore, understanding the basics of PKI is very important, and so important to know why the MSP.
PKI has four key elements:
- Digital Certificates
- Public and private keys
- Certificate Authority
- CRL
Let's quickly describe these PKI basics, if you want more details, Wikipedia is a good starting point.
Digital Certificate (Digital Certificates)
Digital certificate containing a set of attributes associated with the certificate holder's documentation. The most common type of certificate is a certificate in line with the X.509 standard, which allows the identification details of its structure, coding parties.
For example, Mary Morris Mitchell automotive manufacturing sector is located in Detroit, Michigan may have SUBJECTproperty C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456digital certificate. Her certificate similar to her government ID card - it provides information about Mary, she can be used to prove important facts about her. X.509 certificates and many other attributes, but for now let's focus on those.
He describes a party named Mary Morris of the digital certificate. Mary is a certificate SUBJECT, highlight the SUBJECTtext shows important facts about Mary's. As you can see, the certificate also contains more information. The most important thing is, Mary is with her public key in the certificate distribution, and her private key is not. The private key must be kept confidential.
Importantly, all the attributes of Mary can be called using cryptography (literally, "secret writing") mathematical techniques for recording, such tampering would make the certificate invalid. As long as they trust the certificate issuer (called a certificate authority (CA)), cryptography allows Mary a certificate will be presented to others to prove their identity. As long as CA securely save certain encrypted information (meaning, its own private key), anyone reading the certificate can determine information about Mary's has not been tampered with - it will always have those specific properties of Mary Morris. Mary's X.509 certificate can be regarded as a digital ID can not be changed.
Authentication, public key and private key (Authentication, Public keys, and Private Keys)
身份验证和消息完整性是安全通信中的重要概念。 身份验证要求交换消息的各方确保创建特定消息的身份。 对于具有“完整性”的消息意味着在其传输期间不能被修改。 例如,您可能希望确保与真正的Mary Morris而不是模仿者进行沟通。 或者,如果Mary向您发送了一条消息,您可能希望确保其在传输过程中没有被其他任何人篡改过。
传统的身份验证机制依赖于数字签名,顾名思义,它允许一方以数字方式签署其消息。 数字签名还可以保证签名消息的完整性。
从技术上讲,数字签名机制要求每一方保留两个关联的密钥:一个广泛可用的公钥,作为身份验证锚,以及一个用于在消息上生成数字签名的私钥。 已数字签名的消息的接收者可以在预期发送者的公钥下通过检查附加签名是否有效来验证接收到的消息的来源和完整性。
私钥和相应公钥之间的唯一关系是使安全通信成为可能的加密魔法(cryptographic magic)。密钥之间的唯一数学关系是,私钥可用于在消息上产生签名,只有相应的公钥才能匹配,并且只能在同一条消息上匹配。
在上面的示例中,Mary使用她的私钥对邮件进行签名。 任何使用她的公钥查看签名消息的人都可以验证签名。
证书颁发机构(Certificate Authorities)
如你所见,参与者或节点能够通过由系统信任的机构为其发布的数字身份参与区块链网络。 在最常见的情况下,数字身份(或简称身份)具有符合X.509标准并由证书颁发机构(CA)颁发的经加密验证的数字证书的形式。
CA是互联网安全协议的常见部分,您可能已经听说过一些比较流行的协议:Symantec(最初是Verisign)、GeoTrust、DigiCert、GoDaddy和Comodo等。
证书颁发机构向不同的参与者分发证书。 这些证书由CA进行数字签名,并将参与者与其公钥绑定在一起(并且具有可选地全面属性列表)。 因此,如果一个人信任CA(并且知道其公钥),则可以信任特定参与者绑定到证书中包含的公钥,并通过验证参与者证书上的CA签名来拥有所包含的属性。
证书可以广泛传播,因为它们既不包括参与者也不包括CA的私钥。 因此,它们可以用作信任的靠山,用于验证来自不同参与者的消息。
CA也有一个证书,它们可以广泛获得。 这允许CA发布身份的消费者,通过检查他们的证书(只能由相应私钥的持有者(即CA)生成)来验证CA自身的证书。
在区块链设置中,希望在网络交互的每个参与者都需要一个身份。 在此设置中,您可能会说一个或多个CA 可用于从数字角度定义组织成员。 CA是为组织的参与者提供可验证的数字身份的基础。
根CA、中间CA和信任链(Root CAs, Intermediate CAs and Chains of Trust)
CA有两种形式:根CA 和中间CA 。 由于根CA(赛门铁克、Geotrust等)必须向互联网用户安全地分发数亿个证书,因此将此过程分散到所谓的中间CA中是有道理的。 这些中间CA具有由根CA或其他中间机构颁发的证书,允许为链中的任何CA颁发的任何证书建立“信任链”。 追溯到根CA的这种能力不仅允许CA的功能在仍然提供安全性的同时进行扩展 - 允许使用证书的组织充满信心地使用中间CA–它限制了根CA的暴露,如果根CA受到损害,将会危及整个信任链。 另一方面,如果中级CA受到损害,则曝光量会小得多。
只要每个中间CA的证书颁发机构是根CA本身或具有对根CA的信任链,就可以在根CA和一组中间CA之间建立信任链。
中间CA在跨多个组织颁发证书时提供了巨大的灵活性,这在要许可的区块链系统(如Fabric)中非常有用。 例如,您将看到不同的组织可能使用不同的根CA,或者使用具有不同中间CA的相同根CA - 它确实取决于网络的需求。
Fabric CA
因为CA非常重要,Fabric提供了一个内置的CA组件,允许你在你构建的区块链网络中创建CA。此组件(称为 Fabric CA )是一个私有根CA提供者,能够管理具有X.509证书形式的Fabric参与者的数字身份。 由于Fabric CA是针对Fabric的根CA需求的自定义CA,因此它本身无法为浏览器中的常规/自动使用提供SSL证书。 但是,因为必须使用某些CA来管理身份(即使在测试环境中),Fabric CA也可用于提供和管理证书。 使用公共/商业根或中间CA来提供识别也是可能的 - 并且完全合适。
如果你有兴趣,可以阅读更多关于Fabric CA 在CA文档部分的内容。
证书撤销列表(Certificate Revocation Lists)
证书撤销列表(CRL)很容易理解 - 它只是CA知道由于某种原因而被撤销的证书的引用列表。 如果您回想一下商店场景,CRL就像被盗信用卡列表一样。
当第三方想要验证另一方的身份时,它首先检查颁发CA的CRL以确保证书尚未被撤销。 验证者不是必须检查CRL,但如果不检查,则他们将冒着接受受损身份的风险。
使用CRL检查证书是否仍然有效。如果模仿者试图将受损的数字证书传递给验证方,则验证方可以先针对颁发CA的CRL进行检查,以确保其未列为不再有效。
Please note that the certificate is revoked and expired certificates are very different. Revocation of the certificate has not expired - by other measures, they are completely valid certificate. More in-depth information about the CRL, click here .
Now that you know how PKI provides verifiable identity through a chain of trust, the next step is to understand how to use these identities to represent a trusted member of the block chain network. That's Member Service Provider (MSP) comes into play - it identifies the various members of the block chain network in a particular organization .
For more information about membership, please see the MSPs concept document.
The official English original document:
https://hyperledger-fabric.readthedocs.io/en/latest/identity/identity.html
