8.6. 公钥机制 (PKI)

公钥机制(PKI)是在不安全的网络上, 用于增加信息通讯的安全信心级别的安全平台. 它利用公钥和私钥的概念来核实发送者(签名)的身份以确保保密性(加密).

就 PKI 而言, 您要面对各种各样的问题:

a Certificate Authority (CA) that can issue and verify certificates, and that can work under a given hierarchy.
a Directory to hold user's public certificates.
a Database (?) to maintain Certificate Revocation Lists (CRL).
devices that interoperate with the CA in order to print out smart cards/USB tokens/whatever to securely store certificates.
certificate-aware applications that can use certificates issued by a CA to enroll in encrypted communication and check given certificates against CRL (for authentication and full Single Sign On solutions).
a Time stamping authority to digitally sign documents.
a management console from which all of this can be properly used (certificate generation, revocation list control, etc...).

Debian GNU/Linux has software packages to help you with some of these PKI issues. They include OpenSSL (for certificate generation), OpenLDAP (as a directory to hold the certificates), gnupg and openswan (with X.509 standard support). However, as of the Woody release (Debian 3.0), Debian does not have any of the freely available Certificate Authorities such as pyCA, http://www.openca.org or the CA samples from OpenSSL. For more information read the http://ospkibook.sourceforge.net/.