Hyperledger Fabric 1.3 官方文档翻译（三）关键概念 (Key Concepts) - 3.5 身份 (Identity)

身份（Identity）

什么是身份（What is an Identity）?

The different actors in a blockchain network include peers, orderers, client applications, administrators and more. Each of these actors — active elements inside or outside a network able to consume services — has a digital identity encapsulated in an X.509 digital certificate. These identities really matter because they determine the exact permissions over resources and access to information that actors have in a blockchain network.
区块链网络中的不同参与者包括对等节点、排序节点、客户端应用程序、管理员等。 这些参与者中的每一个 — 网络内部或外部能够使用服务的活动元素 — 都具有封装在X.509数字证书中的数字身份。 这些身份确实很重要，因为它们确定了资源的确切权限，以及访问区块链网络中参与者信息的确切权限。

A digital identity furthermore has some additional attributes that Fabric uses to determine permissions, and it gives the union of an identity and the associated attributes a special name — principal. Principals are just like userIDs or groupIDs, but a little more flexible because they can include a wide range of properties of an actor’s identity, such as the actor’s organization, organizational unit, role or even the actor’s specific identity. When we talk about principals, they are the properties which determine their permissions.
此外，数字身份还具有Fabric用于确定权限的一些附加属性，并且它为身份和关联属性的合集提供了一个特殊名称 — ** 委托人（principal） **。 委托人就像userIDs或groupIDs，但更灵活一点，因为它们可以包含参与者身份的各种属性，例如参与者的组织、部门、角色甚至是参与者的特殊身份。 当我们谈论委托人时，它们是决定其权限的属性。

For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is how this is achieved in Fabric. More specifically, an MSP is a component that defines the rules that govern the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more on PKI later).
对于可验证的身份，它必须来自受信任的机构。 会员服务提供者（MSP）是Fabric用来实现这个的。 更具体地说，MSP是定义管理该组织的有效身份规则的组件。Fabric中的默认MSP实现使用X.509证书作为身份，采用传统的公钥基础设施（PKI）分层模型（稍后将详细介绍PKI）。

一个简单的场景来解释身份的使用（A Simple Scenario to Explain the Use of an Identity）

Imagine that you visit a supermarket to buy some groceries. At the checkout you see a sign that says that only Visa, Mastercard and AMEX cards are accepted. If you try to pay with a different card — let’s call it an “ImagineCard” — it doesn’t matter whether the card is authentic and you have sufficient funds in your account. It will be not be accepted.
想象一下，你去超市购买一些杂货。 在结账时，您会看到一个标志，表示只接受Visa、Mastercard和AMEX卡。 如果您尝试使用其他卡付款 - 我们称之为“ImagineCard” - 无论该卡是否真实且您的帐户中有足够的资金都无关紧要。 它不会被接受。

Having a valid credit card is not enough — it must also be accepted by the store! PKIs and MSPs work together in the same way — a PKI provides a list of identities, and an MSP says which of these are members of a given organization that participates in the network.
拥有有效的信用卡是不够的 - 它也必须被商店接受！ PKI和MSP以相同的方式协同工作 - PKI提供身份列表，MSP说这些是参与网络的特定组织的成员。

PKI certificate authorities and MSPs provide a similar combination of functionalities. A PKI is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, is like the list of card providers accepted by the store, determining which identities are the trusted members (actors) of the store payment network. MSPs turn verifiable identities into the members of a blockchain network.
PKI证书颁发机构和MSP提供了类似的功能组合。 PKI就像一个卡提供商 - 它分配了许多不同类型的可验证身份。 另一方面，MSP类似于商店接受的卡提供商列表，确定哪些身份是商店支付网络的可信成员（参与者）。 ** MSP将可验证的身份转变为区块链网络的成员**。

Let’s drill into these concepts in a little more detail.
让我们更详细地深入研究这些概念。

什么是公钥基础设施（What are PKIs）?

A public key infrastructure (PKI) is a collection of internet technologies that provides secure communications in a network. It’s PKI that puts the S in HTTPS — and if you’re reading this documentation on a web browser, you’re probably using a PKI to make sure it comes from a verified source.
公钥基础设施（PKI）是一组互联网技术，可在网络中提供安全通信。 PKI将** 安全（S） 置于 HTTPS ** - 如果你正在阅读此文档在Web浏览器上，您可能正在使用PKI来确保它来自经过验证的源。

The elements of Public Key Infrastructure (PKI). A PKI is comprised of Certificate Authorities who issue digital certificates to parties (e.g., users of a service, service provider), who then use them to authenticate themselves in the messages they exchange with their environment. A CA’s Certificate Revocation List (CRL) constitutes a reference for the certificates that are no longer valid. Revocation of a certificate can happen for a number of reasons. For example, a certificate may be revoked because the cryptographic private material associated to the certificate has been exposed.
公钥基础设施（PKI）的要素。 PKI由向各方（例如服务的用户、服务提供者）发布数字证书的证书颁发机构组成，各方使用CA在他们环境交换的消息中对自己进行认证。 CA的证书撤销列表（CRL）构成不再有效的证书的参考。 证书的撤销可能由于多种原因而发生。 例如，证书可能会因为与证书关联的加密私有材料已被暴露而被撤销。

Although a blockchain network is more than a communications network, it relies on the PKI standard to ensure secure communication between various network participants, and to ensure that messages posted on the blockchain are properly authenticated. It’s therefore important to understand the basics of PKI and then why MSPs are so important.
虽然区块链网络不仅仅是一个通信网络，但它依赖于PKI标准来确保各个网络参与者之间的安全通信，并确保在区块链上发布的消息得到正确的认证。 因此，了解PKI的基础知识是非常重要的，以及知道为什么MSP如此重要。

There are four key elements to PKI:
PKI有四个关键要素：

• Digital Certificates
  数字证书
• Public and Private Keys
  公钥和私钥
• Certificate Authorities
  证书颁发机构
• Certificate Revocation Lists
  证书撤销清单
  Let’s quickly describe these PKI basics, and if you want to know more details, Wikipedia is a good place to start.
  让我们快速描述这些PKI基础知识，如果您想了解更多细节，维基百科是一个很好的起点。

数字证书（Digital Certificates）

A digital certificate is a document which holds a set of attributes relating to the holder of the certificate. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure.
数字证书是包含与证书持有者有关的一组属性的文档。 最常见的证书类型是符合X.509标准的证书，它允许在其结构中编码当事人的识别细节。

For example, Mary Morris in the Manufacturing Division of Mitchell Cars in Detroit, Michigan might have a digital certificate with a SUBJECT attribute of C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456. Mary’s certificate is similar to her government identity card — it provides information about Mary which she can use to prove key facts about her. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now.
例如，位于密歇根州底特律的Mitchell汽车制造部门的Mary Morris可能拥有SUBJECT属性为C=US、ST=Michigan、L=Detroit、O=Mitchell Cars、OU=Manufacturing、CN=Mary Morris/UID=123456 的数字证书。她的证书类似于她的政府身份证 - 它提供了Mary的信息，她可以用来证明关于她的重要事实。 X.509证书中还有许多其他属性，但现在让我们专注于这些。

A digital certificate describing a party called Mary Morris. Mary is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about Mary. The certificate also holds many more pieces of information, as you can see. Most importantly, Mary’s public key is distributed within her certificate, whereas her private signing key is not. This signing key must be kept private.
描述一个名为Mary Morris的当事人数字证书。 Mary是证书的SUBJECT，突出显示的SUBJECT文本显示了关于Mary的重要事实。 如您所见，证书还包含更多信息。 最重要的是，Mary的公钥是随着她的证书中分发的，而她的私钥则不是。 私钥必须保密。

What is important is that all of Mary’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows Mary to present her certificate to others to prove her identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about Mary has not been tampered with — it will always have those particular attributes for Mary Morris. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change.
重要的是，玛丽的所有属性都可以使用称为密码学（字面意思，“秘密写作”）的数学技术进行记录，这样篡改将使证书无效。 只要对方信任证书颁发者（称为证书颁发机构（CA）），密码学就允许Mary将证书呈现给其他人以证明其身份。 只要CA安全地保存某些加密信息（意思是，它自己的私钥），任何阅读证书的人都可以确定关于Mary的信息没有被篡改 - 它将始终具有Mary Morris的那些特定属性。将Mary的X.509证书视为无法改变的数字身份证。

身份验证、公钥和私钥（Authentication, Public keys, and Private Keys）

Authentication and message integrity are important concepts in secure communications. Authentication requires that parties who exchange messages are assured of the identity that created a specific message. For a message to have “integrity” means that cannot have been modified during its transmission. For example, you might want to be sure you’re communicating with the real Mary Morris rather than an impersonator. Or if Mary has sent you a message, you might want to be sure that it hasn’t been tampered with by anyone else during transmission.
身份验证和消息完整性是安全通信中的重要概念。 身份验证要求交换消息的各方确保创建特定消息的身份。 对于具有“完整性”的消息意味着在其传输期间不能被修改。 例如，您可能希望确保与真正的Mary Morris而不是模仿者进行沟通。 或者，如果Mary向您发送了一条消息，您可能希望确保其在传输过程中没有被其他任何人篡改过。

Traditional authentication mechanisms rely on digital signatures that, as the name suggests, allow a party to digitally sign its messages. Digital signatures also provide guarantees on the integrity of the signed message.
传统的身份验证机制依赖于数字签名，顾名思义，它允许一方以数字方式签署其消息。 数字签名还可以保证签名消息的完整性。

Technically speaking, digital signature mechanisms require each party to hold two cryptographically connected keys: a public key that is made widely available and acts as authentication anchor, and a private key that is used to produce digital signatures on messages. Recipients of digitally signed messages can verify the origin and integrity of a received message by checking that the attached signature is valid under the public key of the expected sender.
从技术上讲，数字签名机制要求每一方保留两个关联的密钥：广泛可用的公钥充当认证的靠山，以及用于在消息上生成数字签名的私钥。 数字签名消息的接收者可以在预期发送者的公钥下通过检查附加签名是否有效来验证被接收消息的来源和完整性。

The unique relationship between a private key and the respective public key is the cryptographic magic that makes secure communications possible. The unique mathematical relationship between the keys is such that the private key can be used to produce a signature on a message that only the corresponding public key can match, and only on the same message.
私钥和相应公钥之间的唯一关系是使安全通信成为可能的加密魔法。密钥之间的唯一数学关系使得私钥可用于在消息上产生签名。 只有相应的公钥才能匹配，并且只能在同一条消息上匹配。

In the example above, Mary uses her private key to sign the message. The signature can be verified by anyone who sees the signed message using her public key.
在上面的示例中，Mary使用她的私钥对邮件进行签名。 任何使用她的公钥查看签名消息的人都可以验证签名。

证书颁发机构（Certificate Authorities）

As you’ve seen, an actor or a node is able to participate in the blockchain network, via the means of a digital identity issued for it by an authority trusted by the system. In the most common case, digital identities (or simply identities) have the form of cryptographically validated digital certificates that comply with X.509 standard and are issued by a Certificate Authority (CA).
如你所见，参与者或节点能够通过由系统信任的机构为其发布的数字身份参与区块链网络。 在最常见的情况下，数字身份（或简称身份）具有符合X.509标准并由证书颁发机构（CA）颁发的经加密验证的数字证书的形式。

CAs are a common part of internet security protocols, and you’ve probably heard of some of the more popular ones: Symantec (originally Verisign), GeoTrust, DigiCert, GoDaddy, and Comodo, among others.
CA是互联网安全协议的常见部分，您可能已经听说过一些比较流行的协议：Symantec（最初是Verisign）、GeoTrust、DigiCert、GoDaddy和Comodo等。

A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate.
证书颁发机构向不同的参与者分发证书。 这些证书由CA进行数字签名，并将参与者与其公钥绑定在一起（并且具有可选地全面属性列表）。 因此，如果一个人信任CA（并且知道其公钥），则可以信任特定参与者绑定到证书中包含的公钥，并通过验证参与者证书上的CA签名来拥有所包含的属性。。

Certificates can be widely disseminated, as they do not include either the actors’ nor the CA’s private keys. As such they can be used as anchor of trusts for authenticating messages coming from different actors.
证书可以广泛传播，因为它们既不包括参与者也不包括CA的私钥。 因此，它们可以用作信任的靠山，用于验证来自不同参与者的消息。

CAs also have a certificate, which they make widely available. This allows the consumers of identities issued by a given CA to verify them by checking that the certificate could only have been generated by the holder of the corresponding private key (the CA).
CA也有一个证书，它们可以广泛获得。 这允许CA发布身份的消费者，通过检查他们的证书（只能由相应私钥的持有者（即CA）生成）来验证CA自身的证书。

In a blockchain setting, every actor who wishes to interact with the network needs an identity. In this setting, you might say that one or more CAs can be used to define the members of an organization’s from a digital perspective. It’s the CA that provides the basis for an organization’s actors to have a verifiable digital identity.
在区块链设置中，希望在网络交互的每个参与者都需要一个身份。 在此设置中，您可能会说一个或多个CA 可用于从数字角度定义组织成员。 CA是为组织的参与者提供可验证的数字身份的基础。

根CA、中间CA和信任链（Root CAs, Intermediate CAs and Chains of Trust）

CAs come in two flavors: Root CAs and Intermediate CAs. Because Root CAs (Symantec, Geotrust, etc) have to securely distribute hundreds of millions of certificates to internet users, it makes sense to spread this process out across what are called Intermediate CAs. These Intermediate CAs have their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA not only allows the function of CAs to scale while still providing security — allowing organizations that consume certificates to use Intermediate CAs with confidence — it limits the exposure of the Root CA, which, if compromised, would endanger the entire chain of trust. If an Intermediate CA is compromised, on the other hand, there will be a much smaller exposure.
CA有两种形式：根CA 和中间CA 。 由于根CA（赛门铁克、Geotrust等）必须向互联网用户安全地分发数亿个证书，因此将此过程分散到所谓的中间CA中是有道理的。 这些中间CA具有由根CA或其他中间机构颁发的证书，允许为链中的任何CA颁发的任何证书建立“信任链”。 追溯到根CA的这种能力不仅允许CA的功能在仍然提供安全性的同时进行扩展 - 允许使用证书的组织充满信心地使用中间CA–它限制了根CA的暴露，如果根CA受到损害，将会危及整个信任链。 另一方面，如果中级CA受到损害，则曝光量会小得多。

A chain of trust is established between a Root CA and a set of Intermediate CAs as long as the issuing CA for the certificate of each of these Intermediate CAs is either the Root CA itself or has a chain of trust to the Root CA.
只要每个中间CA的证书颁发机构是根CA本身或具有对根CA的信任链，就可以在根CA和一组中间CA之间建立信任链。

Intermediate CAs provide a huge amount of flexibility when it comes to the issuance of certificates across multiple organizations, and that’s very helpful in a permissioned blockchain system (like Fabric). For example, you’ll see that different organizations may use different Root CAs, or the same Root CA with different Intermediate CAs — it really does depend on the needs of the network.
中间CA在跨多个组织颁发证书时提供了巨大的灵活性，这在要许可的区块链系统（如Fabric）中非常有用。 例如，您将看到不同的组织可能使用不同的根CA，或者使用具有不同中间CA的相同根CA - 它确实取决于网络的需求。

Fabric CA

It’s because CAs are so important that Fabric provides a built-in CA component to allow you to create CAs in the blockchain networks you form. This component — known as Fabric CA is a private root CA provider capable of managing digital identities of Fabric participants that have the form of X.509 certificates. Because Fabric CA is a custom CA targeting the Root CA needs of Fabric, it is inherently not capable of providing SSL certificates for general/automatic use in browsers. However, because some CA must be used to manage identity (even in a test environment), Fabric CA can be used to provide and manage certificates. It is also possible — and fully appropriate — to use a public/commerical root or intermediate CA to provide identification.
因为CA非常重要，Fabric提供了一个内置的CA组件，允许你在你构建的区块链网络中创建CA。此组件（称为** Fabric CA ）是一个私有根CA提供者，能够管理具有X.509证书形式的Fabric参与者的数字身份。 由于Fabric CA是针对Fabric的根CA需求的自定义CA，因此它本身无法为浏览器中的常规/自动使用提供SSL证书。 但是，因为必须使用某些** CA来管理身份（即使在测试环境中），Fabric CA也可用于提供和管理证书。 使用公共/商业根或中间CA来提供识别也是可能的 - 并且完全合适。

If you’re interested, you can read a lot more about Fabric CA in the CA documentation section.
如果你有兴趣，可以阅读更多关于Fabric CA 在CA文档部分的内容。

证书撤销列表（Certificate Revocation Lists）

A Certificate Revocation List (CRL) is easy to understand — it’s just a list of references to certificates that a CA knows to be revoked for one reason or another. If you recall the store scenario, a CRL would be like a list of stolen credit cards.
证书撤销列表（CRL）很容易理解 - 它只是CA知道由于某种原因而被撤销的证书的引用列表。 如果您回想一下商店场景，CRL就像被盗信用卡列表一样。

When a third party wants to verify another party’s identity, it first checks the issuing CA’s CRL to make sure that the certificate has not been revoked. A verifier doesn’t have to check the CRL, but if they don’t they run the risk of accepting a compromised identity.
当第三方想要验证另一方的身份时，它首先检查颁发CA的CRL以确保证书尚未被撤销。 验证者不是必须检查CRL，但如果不检查，则他们将冒着接受受损身份的风险。

Using a CRL to check that a certificate is still valid. If an impersonator tries to pass a compromised digital certificate to a validating party, it can be first checked against the issuing CA’s CRL to make sure it’s not listed as no longer valid.
使用CRL检查证书是否仍然有效。如果模仿者试图将受损的数字证书传递给验证方，则验证方可以先针对颁发CA的CRL进行检查，以确保其未列为不再有效。

Note that a certificate being revoked is very different from a certificate expiring. Revoked certificates have not expired — they are, by every other measure, a fully valid certificate. For more in-depth information about CRLs, click here.
请注意，证书被撤销与证书过期非常不同。撤销的证书尚未过期 - 按其他措施，它们是完全有效的证书。有关CRL的更深入信息，请单击这里.

Now that you’ve seen how a PKI can provide verifiable identities through a chain of trust, the next step is to see how these identities can be used to represent the trusted members of a blockchain network. That’s where a Membership Service Provider (MSP) comes into play — it identifies the parties who are the members of a given organization in the blockchain network.
现在您已经了解了PKI如何通过信任链提供可验证的身份，下一步是了解如何使用这些身份来代表区块链网络的可信成员。这就是会员服务提供者（MSP）发挥作用的地方 - 它识别了区块链网络中特定组织的各个成员。

To learn more about membership, check out the conceptual documentation on MSPs.
要了解有关成员资格的更多信息，请查看MSPs的概念文档。