I-IETF ivunyiwe yi-ACME - lo ngumgangatho wokusebenza kunye nezatifikethi ze-SSL

I-IETF ivunyiwe umgangatho Imekobume yoLawulo lweSatifikethi esizenzekelayo (ACME), esiya kunceda ukuzenzekelayo ukufumana izatifikethi ze-SSL. Makhe sikuxelele ukuba isebenza njani.

/Flickr/ Cliff Johnson / CC BY-SA

Kwakutheni ukuze kufuneke umlinganiselo?

Umndilili ngokwesetingi Isatifikethi se-SSL kwi-domain, umlawuli unokuchitha ukusuka kwiyure enye ukuya kweyesithathu. Ukuba wenza impazamo, kuya kufuneka ulinde de isicelo sikhatywe, kuphela emva koko sinokuthunyelwa kwakhona. Konke oku kwenza kube nzima ukuhambisa iinkqubo ezinkulu.

Inkqubo yokuqinisekiswa kwesizinda segunya ngalinye lesatifikethi inokwahluka. Ukunqongophala komgangatho ngamanye amaxesha kukhokelela kwiingxaki zokhuseleko. Eyaziwayo eyenzekayoxa, ngenxa yegciwane kwinkqubo, enye CA ingqinisise yonke imimandla ebhengeziweyo. Kwiimeko ezinjalo, izatifikethi ze-SSL zinokukhutshelwa oovimba bobuqhophololo.

IETF yamkelwe iprotocol ye-ACME (inkcazo I-RFC8555) kufuneka izenzekele kwaye ilinganise inkqubo yokufumana isatifikethi. Kwaye ukuphelisa into yomntu kuya kunceda ukwandisa ukuthembeka kunye nokhuseleko lokuqinisekiswa kwegama lesizinda.

Umgangatho uvulekile kwaye nabani na unokufaka isandla ekuphuhlisweni kwawo. IN iindawo zokugcina kwiGitHub Imiyalelo efanelekileyo iye yapapashwa.

ntoni lo msebenzi

Izicelo zitshintshwa kwi-ACME nge-HTTPS kusetyenziswa imiyalezo ye-JSON. Ukusebenza kunye neprotocol, kufuneka ufake umxhasi we-ACME kwindawo ekujoliswe kuyo; ivelisa isibini esibalulekileyo esikhethekileyo okokuqala ufikelela kwi-CA. Emva koko, ziya kusetyenziswa ukusayina yonke imiyalezo evela kumxhasi kunye nomncedisi.

Umyalezo wokuqala uqulethe ulwazi loqhagamshelwano malunga nomnini wesizinda. Isayinwe ngeqhosha labucala kwaye ithunyelwe kumncedisi kunye nesitshixo sikawonke-wonke. Iqinisekisa ubunyani bomsayino kwaye, ukuba yonke into ilungile, iqala inkqubo yokukhupha isatifikethi se-SSL.

Ukufumana isatifikethi, umxhasi kufuneka angqine kumncedisi ukuba ungumnikazi wendawo. Ukwenza oku, wenza izenzo ezithile ezifumaneka kumnini kuphela. Ngokomzekelo, ugunyaziwe wesatifikethi unokuvelisa uphawu olulodwa kwaye ucele umxhasi ukuba alubeke kwindawo. Okulandelayo, i-CA ikhupha iwebhu okanye umbuzo we-DNS ukubuyisela isitshixo kulo mqondiso.

Ngokomzekelo, kwimeko ye-HTTP, isitshixo esivela kwithokheni kufuneka sifakwe kwifayile eya kuhanjiswa ngumncedisi wewebhu. Ngexesha lokuqinisekiswa kwe-DNS, igunya lokuqinisekisa liya kukhangela isitshixo esikhethekileyo kuxwebhu olubhaliweyo lwerekhodi ye-DNS. Ukuba yonke into ilungile, umncedisi uqinisekisa ukuba umxhasi uqinisekisiwe kwaye i-CA ikhupha isatifikethi.

/Flickr/ Blondinrikard Fröberg / CC BY

Iingcamango

Ngu ngokwe IETF, i-ACME iya kuba luncedo kubalawuli ekufuneka basebenze ngamagama amaninzi esizinda. Umgangatho uya kunceda ukudibanisa ngamnye kubo kwii-SSL ezifunekayo.

Phakathi kweenzuzo zomgangatho, iingcali zikwaphawula ezininzi iindlela zokhuseleko. Bamele baqinisekise ukuba izatifikethi ze-SSL zikhutshwa kuphela kubanini besizinda bokwenyani. Ngokukodwa, isethi yezandiso zisetyenziselwa ukukhusela ukuhlaselwa kwe-DNS DNSSEC, kunye nokukhusela kwi-DoS, umgangatho unciphisa isantya sokwenziwa kwezicelo zomntu ngamnye - umzekelo, iHTTP yendlela POST. Abaphuhlisi be-ACME ngokwabo cebisa Ukuphucula ukhuseleko, yongeza i-entropy kwimibuzo ye-DNS kwaye uyiphumeze kumanqaku amaninzi kwinethiwekhi.

Izisombululo ezifanayo

Iiprothokholi zikwasetyenziselwa ukufumana izatifikethi I-SCEP и Est.

Eyokuqala yaphuhliswa eCisco Systems. Injongo yayo yayikukwenza lula inkqubo yokukhupha izatifikethi zedijithali ze-X.509 kwaye yenze ukuba ihlaziywe kangangoko. Phambi kwe-SCEP, le nkqubo yayifuna intatho-nxaxheba esebenzayo yabalawuli benkqubo kwaye ayizange ikhule kakuhle. Namhlanje le protocol yenye yezona zixhaphakileyo.

Ngokuphathelele i-EST, ivumela abathengi be-PKI ukuba bafumane izatifikethi kumajelo akhuselekileyo. Isebenzisa i-TLS yokudlulisa umyalezo kunye nokukhutshwa kwe-SSL, kunye nokubopha i-CSR kumthumeli. Ukongeza, i-EST ixhasa iindlela ze-elliptic cryptography, eyenza umaleko owongezelelweyo wokhuseleko.

Ngu uluvo lwengcali, izisombululo ezifana ne-ACME ziya kufuneka zisasazeke ngakumbi. Banikezela ngemodeli yokuseta ye-SSL eyenziwe lula kwaye ikhuselekile kwaye ikwakhawulezisa inkqubo.

Izithuba ezongezelelweyo ezivela kwiblogi yethu yoshishino:

• Ukhetho lweziseko ze-IT zombutho
• Ukugcina iifayile: indlela yokuzikhusela kwilahleko yedatha
• Uqeqesho lumele abalawuli: ukuba ilifu linokunceda njani
• I-Evolution ye-1cloud cloud architecture

umthombo: www.habr.com