PKI
资料
RFC4158 Internet X.509 Public Key Infrastructure: Certification Path Building
RFC5217 Memorandum for Multi-Domain Public Key Infrastructure Interoperability
Introduction to Public Key Infrastructure
Understanding Certification Path Construction
The Federal Bridge: A Foundation of Trust
The Federal Bridge Certification Authority
RFC5272 Certificate Management over CMS (CMC)
RFC7030 Enrollment over Secure Transport
PKI Trust Models: Whom do you trust?
Cross-Certification and PKI Policy Networking
结构
Hierarchical CA,单Root,例如DNSSEC
Peer-to-Peer CA,多个Root CA之间互签,相当于每次都是1v1互签
Bridge CA,多个Root CA各自与Bridge CA互签,Bridge CA作为中介,连接起不同联盟的CA
信任
CA Trust List,例如浏览器CA List
本地 Root CA + Bridge,例如美国federal bridge
安全
单CA + 无Bridge,应用范围有限,适用于自建CA自行应用,无交互
P2P CA,有限度的互相信任,可随时主动撤销信任;适用于群组内强互信的场景
CA Trust List,比较宽松的信任,一个CA可恶意签发由其他CA签发的域名;适用于上级层数较少、底层叶子极多、CA不互通的场景
Bridge,更加宽松的信任,Bridge传递信任,然而加入的CA越多越不可控;且验签链路较长;适用于相同业务的不同CA信任联盟
