PKI ######## 结构 ========================================================== Hierarchical CA,单Root,例如DNSSEC Peer-to-Peer CA,多个Root CA之间互签,相当于每次都是1v1互签 Bridge CA,多个Root CA各自与Bridge CA互签,Bridge CA作为中介,连接起不同联盟的CA 信任 ========================================================== CA Trust List,例如浏览器CA List 本地 Root CA + Bridge,例如美国federal bridge 安全 ========================================================== 单CA + 无Bridge,应用范围有限,适用于自建CA自行应用,无交互 P2P CA,有限度的互相信任,可随时主动撤销信任;适用于群组内强互信的场景 CA Trust List,比较宽松的信任,一个CA可恶意签发由其他CA签发的域名;适用于上级层数较少、底层叶子极多、CA不互通的场景 Bridge,更加宽松的信任,Bridge传递信任,然而加入的CA越多越不可控;且验签链路较长;适用于相同业务的不同CA信任联盟 资料 ========================================================== - `PKI and Certificate Security `_ - `RFC4158 Internet X.509 Public Key Infrastructure: Certification Path Building `_ - `RFC5217 Memorandum for Multi-Domain Public Key Infrastructure Interoperability `_ - `Introduction to Public Key Infrastructure `_ - `Understanding Certification Path Construction `_ - `The Federal Bridge: A Foundation of Trust `_ - `PKI Trust Models `_ - `The Federal Bridge Certification Authority `_ - `Public Key Infrastructures `_ - `RFC5272 Certificate Management over CMS (CMC) `_ - `RFC7030 Enrollment over Secure Transport `_ - `PKI Trust Models: Whom do you trust? `_ - `Cross-Certification and PKI Policy Networking `_ - `PKI-in-nutshell `_ - `Usability and Key Management `_