I-IETF igunyaziwe I-Automatic Certificate Management Environment (ACME), ezosiza ukwenza ngokuzenzakalelayo ukwamukela izitifiketi ze-SSL. Ake sikutshele ukuthi isebenza kanjani.
/flickr/ /
Kungani kwakudingeka indinganiso?
Isilinganiso ngesilungiselelo ngasinye esizindeni, umlawuli angachitha kusukela ehoreni elilodwa kuye kwamathathu. Uma wenza iphutha, kuzodingeka ulinde kuze kube yilapho isicelo senqatshwa, ngemva kwalokho singathunyelwa futhi. Konke lokhu kwenza kube nzima ukuphakela amasistimu amakhulu.
Inqubo yokuqinisekisa isizinda ingase yehluke kusiphathimandla ngasinye sokunikeza izitifiketi. Ukushoda kokulinganisa kwesinye isikhathi kuholela ezinkingeni zokuphepha. Edumile lapho, ngenxa yesiphazamisi ohlelweni, i-CA eyodwa iqinisekise zonke izizinda ezimenyezelwe. Ezimweni ezinjalo, izitifiketi ze-SSL zingakhishelwa izinsiza eziwumgunyathi.
Iphrothokholi ye-ACME evunyelwe yi-IETF (incazelo ) kufanele enze ngokuzenzakalelayo futhi amise inqubo yokuthola isitifiketi. Futhi ukususa isici somuntu kuzosiza ukwandisa ukuthembeka nokuphepha kokuqinisekiswa kwegama lesizinda.
Izinga livuliwe futhi noma ubani angaba neqhaza ekuthuthukisweni kwalo. IN imiyalelo ishicilelwe.
Kanjani lo msebenzi
Izicelo ku-ACME zishintshaniswa nge-HTTPS kusetshenziswa imilayezo ye-JSON. Ukuze usebenze nephrothokholi, udinga ukufaka iklayenti le-ACME endaweni eqondiwe; ikhiqiza ipheya yokhiye eyingqayizivele ngesikhathi sokuqala ifinyelela i-CA. Ngokulandelayo, zizosetshenziselwa ukusayina yonke imilayezo yeklayenti neseva.
Umlayezo wokuqala uqukethe imininingwane yokuxhumana mayelana nomnikazi wesizinda. Isayinwe ngokhiye oyimfihlo futhi ithunyelwe kuseva kanye nokhiye osesidlangalaleni. Ihlola ubuqiniso besiginesha futhi, uma yonke into ihlelekile, iqala inqubo yokukhipha isitifiketi se-SSL.
Ukuze uthole isitifiketi, iklayenti kufanele lifakazele kuseva ukuthi liphethe isizinda. Ukuze enze lokhu, wenza izenzo ezithile ezitholakala kumnikazi kuphela. Isibonelo, isiphathimandla sesitifiketi singakha ithokheni ehlukile futhi icele iklayenti ukuthi ilibeke kusayithi. Okulandelayo, i-CA ikhipha umbuzo wewebhu noma we-DNS ukuze ikhiphe ukhiye kule tokheni.
Isibonelo, esimweni se-HTTP, ukhiye ovela kuthokheni kufanele ubekwe efayeleni elizonikezwa iseva yewebhu. Ngesikhathi sokuqinisekiswa kwe-DNS, isiphathimandla sokunikeza izitifiketi sizobheka ukhiye oyingqayizivele kudokhumenti yombhalo werekhodi le-DNS. Uma konke kuhamba ngohlelo, iseva iqinisekisa ukuthi iklayenti liqinisekisiwe futhi i-CA ikhipha isitifiketi.
/flickr/ /
Okuthunyelwe
Ngu I-IETF, i-ACME izoba usizo kubaphathi okufanele basebenze ngamagama amaningi wesizinda. Izinga lizosiza ukuhlobanisa ngamunye wabo ne-SSL oyifunayo.
Phakathi kwezinzuzo zezinga, ochwepheshe babuye baqaphele eziningana . Kufanele baqinisekise ukuthi izitifiketi ze-SSL zikhishelwa kuphela ababhalisile bangempela. Ikakhulukazi, isethi yezandiso isetshenziselwa ukuvikela ekuhlaselweni kwe-DNS. , kanye nokuvikela ngokumelene ne-DoS, indinganiso ikhawulela isivinini sokwenziwa kwezicelo zomuntu ngamunye - isibonelo, i-HTTP yendlela . Abathuthukisi be-ACME ngokwabo ukuze ukhuphule ukuvikeleka, engeza i-entropy kumibuzo ye-DNS futhi uyisebenzise kusukela kumaphuzu amaningana kunethiwekhi.
Izixazululo ezifanayo
Amaphrothokholi nawo asetshenziswa ukuthola izitifiketi. ΠΈ .
Eyokuqala yasungulwa ngabakwaCisco Systems. Umgomo wayo bekuwukwenza kube lula inqubo yokukhishwa kwezitifiketi zedijithali ze-X.509 futhi ikwenze kube lula ngangokunokwenzeka. Ngaphambi kokufika kwe-SCEP, le nqubo yayidinga ukubamba iqhaza okusebenzayo kwabaphathi bohlelo futhi ayizange ikhule kahle. Namuhla, le protocol ingenye evame kakhulu.
Ngokuqondene ne-EST, ivumela amaklayenti e-PKI ukuthi athole izitifiketi eziteshini ezivikelekile. Isebenzisa i-TLS ukuthumela imiyalezo nokukhipha i-SSL, kanye nokubophezela i-CSR kumthumeli. Ngaphezu kwalokho, i-EST isekela izindlela ze-elliptic cryptography, ezidala isendlalelo esengeziwe sokuvikela.
Ngu , izixazululo ezifana ne-ACME zizodinga ukwamukelwa kabanzi. Banikeza imodeli yokusetha ye-SSL eyenziwe lula nevikelekile futhi baphinde basheshise inqubo.
Okuthunyelwe okwengeziwe okuvela kubhulogi yethu yebhizinisi:
Source: www.habr.com