数字证书 Certificate Authority(CA)对给定的安 全域产生和发布证书。 控制政策,相对其他用户具有绝对的权威 2021/2/21
2021/2/21 7 Certificate Authority (CA) 对给定的安 全域产生和发布证书。 控制政策,相对其他用户具有绝对的权威. 数字证书
数字证书 Cert and crl 5. CA R 3. RA requests cert publishes certs for user and crl (LDAP Directory) Registration Certificate Authority Authority Repository 2. RA verifies identity 5a. Ca pushes CRL info to client based Principal/ 4. CA issues cert Application Applicant or other entity 1. Users apply for certification 6. Apps and other systems use certs 2021/2/21
2021/2/21 8 Principal/ Applicant Registration Authority Certificate Authority Repository Application or other entity 1. Users apply for certification 2. RA verifies identity 3. RA requests cert for user Cert and CRL Repository (LDAP Directory) 4. CA issues cert 5. CA publishes certs and CRLs 5a. CA pushes CRL info to client based on policy 6. Apps and other systems use certs. 数字证书
数字证书 Certificate authority Localarea Network Wide Area Network Localarea Localarea rk Registration ncspa Authority Applicant Repository 2021/2/21
2021/2/21 9 Certificate Authority Local Area Network Wide Area Network Local Area Network Local Area Network Registration Authority Principal/ Applicant Repository 数字证书
CA信任模型 任何支持超出单个安全域的P必须考虑 如何建立对CA本身的信任?2 问:谁是CA的可信第三方? 谁签发宅的数字证书?(分层) 宅和谁共享信任?(交叉证书) 2021/2/21
2021/2/21 10 CA 信任模型 任何支持超出单个安全域的PKI必须考虑: 如何建立对 CA本身的信任?? 问: 谁是CA的可信第三方? 谁签发它的数字证书? (分层) 它和谁共享信任? (交叉证书)
CA信任模型 三种主要的CA信任模型 交叉认证 2.证书链 3.hub/桥CA 2021/2/21
2021/2/21 11 CA 信任模型 三种主要的 CA信任模型: 1. 交叉认证 2. 证书链 3. hub/桥CA