• 资料
• 结构
• 信任
• 安全

资料

PKI and Certificate Security

RFC4158 Internet X.509 Public Key Infrastructure: Certification Path Building

RFC5217 Memorandum for Multi-Domain Public Key Infrastructure Interoperability

Introduction to Public Key Infrastructure

Understanding Certification Path Construction

The Federal Bridge: A Foundation of Trust

PKI Trust Models

The Federal Bridge Certification Authority

Public Key Infrastructures

RFC5272 Certificate Management over CMS (CMC)

RFC7030 Enrollment over Secure Transport

PKI Trust Models: Whom do you trust?

Cross-Certification and PKI Policy Networking

PKI-in-nutshell

Usability and Key Management

结构

Hierarchical CA，单Root，例如DNSSEC

Peer-to-Peer CA，多个Root CA之间互签，相当于每次都是1v1互签

Bridge CA，多个Root CA各自与Bridge CA互签，Bridge CA作为中介，连接起不同联盟的CA

信任

CA Trust List，例如浏览器CA List

本地 Root CA + Bridge，例如美国federal bridge

安全

单CA + 无Bridge，应用范围有限，适用于自建CA自行应用，无交互

P2P CA，有限度的互相信任，可随时主动撤销信任；适用于群组内强互信的场景

CA Trust List，比较宽松的信任，一个CA可恶意签发由其他CA签发的域名；适用于上级层数较少、底层叶子极多、CA不互通的场景

Bridge，更加宽松的信任，Bridge传递信任，然而加入的CA越多越不可控；且验签链路较长；适用于相同业务的不同CA信任联盟

---

---

Published

Tags

• pki 4

Share On

• twitter


• weibo


• reddit


• linkedin