Hyperledger Fabric v1.4(LTS) 系列(3.5)：关键概念-身份

译文目录：

Hyperledger Fabric v1.4(LTS) 系列译文总目录

Key Concepts-Identity

• Introduction
• Hyperledger Fabric Functionalities
• Hyperledger Fabric Model
• Blockchain network
• Identity
• Membership
• Peers
• Smart Contracts and Chaincode
• Ledger
• The Ordering Service
• Private data
• Use Cases

Identity

What is an Identity?

The different actors in a blockchain network include peers, orderers, client applications, administrators and more. Each of these actors — active elements inside or outside a network able to consume services — has a digital identity encapsulated in an X.509 digital certificate. These identities really matter because they determine the exact permissions over resources and access to information that actors have in a blockchain network.
区块链网络中的不同参与者包括节点、排序者、客户端应用、管理员等。每一个参与者，网络内外可消费服务的活跃元素，都具有封装在X.509数字证书中的数字身份。这些身份很重要，因为它们决定了参与者在区块链网络中对资源和信息访问的确切权限。

A digital identity furthermore has some additional attributes that Fabric uses to determine permissions, and it gives the union of an identity and the associated attributes a special name — principal. Principals are just like userIDs or groupIDs, but a little more flexible because they can include a wide range of properties of an actor’s identity, such as the actor’s organization, organizational unit, role or even the actor’s specific identity. When we talk about principals, they are the properties which determine their permissions.
此外，数字标识还有一些Fabric用以确定权限的附加属性，并给了身份和关联的属性组合一个特殊的名称–主体。主体就像用户ID或组ID，但更灵活一点因为它们可以包括参与者宽泛的身份属性，如参与者的组织、组织单位、角色甚至演员的特定身份。当我们谈论主体时，它们是决定其权限的属性。

For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is how this is achieved in Fabric. More specifically, an MSP is a component that defines the rules that govern the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more on PKI later).
要使身份可验证，它必须来自可信认证机构。Fabric通过会员服务提供商（MSP）实现。具体地，MSP是一个组件，它定义了管理此组织的有效标识的规则。Fabric中的默认MSP实现使用X.509证书作为标识，采用传统的公钥基础设施（PKI）层次模型（后边讨论PKI）。

A Simple Scenario to Explain the Use of an Identity

Imagine that you visit a supermarket to buy some groceries. At the checkout you see a sign that says that only Visa, Mastercard and AMEX cards are accepted. If you try to pay with a different card — let’s call it an “ImagineCard” — it doesn’t matter whether the card is authentic and you have sufficient funds in your account. It will be not be accepted.
想象你去超市买东西。在结帐处，你看到一块牌子上面说只接受Visa、万事达和运通。如果你尝试用不同的卡付帐—我们称为“想象卡”—不管这张卡是否真实，账户里资金是否足够。它都不会被接受。

Having a valid credit card is not enough — it must also be accepted by the store! PKIs and MSPs work together in the same way — a PKI provides a list of identities, and an MSP says which of these are members of a given organization that participates in the network.
一张有效的信用卡是不够的—它必须被商店接受！PKI和MSP以同样的方式协同工作—PKI提供一个身份列表，MSP决定给定组织的哪些人可以参与到网络中。

PKI certificate authorities and MSPs provide a similar combination of functionalities. A PKI is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, is like the list of card providers accepted by the store, determining which identities are the trusted members (actors) of the store payment network. MSPs turn verifiable identities into the members of a blockchain network.
Let’s drill into these concepts in a little more detail.

PKI证书颁发机构和MSP提供了类似的功能组合。PKI就像一个卡提供商—它分配许多不同类型的可验证身份。另一方面，MSP类似于商店接受的卡提供商列表，确定哪些身份是商店支付网络的受信任成员（参与者）。MSP将可验证的身份转变为区块链网络的成员。
让我们更详细地了解一下这些概念。

译注：
这里不是太难理解，简单讲，PKI提供身份，MSP决定接受哪些PKI。

What are PKIs?

A public key infrastructure (PKI) is a collection of internet technologies that provides secure communications in a network. It’s PKI that puts the S in HTTPS — and if you’re reading this documentation on a web browser, you’re probably using a PKI to make sure it comes from a verified source.
公钥基础设施（PKI）是提供网络安全通信的Internet技术集。是PKI将S放在HTTPS中，您在浏览器上阅读此文档时，可能会使用PKI来确保其来自经验证的来源。

The elements of Public Key Infrastructure (PKI). A PKI is comprised of Certificate Authorities who issue digital certificates to parties (e.g., users of a service, service provider), who then use them to authenticate themselves in the messages they exchange with their environment. A CA’s Certificate Revocation List (CRL) constitutes a reference for the certificates that are no longer valid. Revocation of a certificate can happen for a number of reasons. For example, a certificate may be revoked because the cryptographic private material associated to the certificate has been exposed.

公钥基础设施（PKI）的元素如下：PKI由向参与方（如服务用户、服务提供商）颁发数字证书的证书颁发机构组成，这些参与方随后使用它们在与环境交互的消息中进行身份验证。CA的证书吊销列表（CRL）包含对失效证书的引用。证书的吊销有多种原因。例如，证书可能会因为与证书关联的加密私有材料已被公开而被吊销。

译注：
cryptographic private material 其实就是私钥了。

Although a blockchain network is more than a communications network, it relies on the PKI standard to ensure secure communication between various network participants, and to ensure that messages posted on the blockchain are properly authenticated. It’s therefore important to understand the basics of PKI and then why MSPs are so important.

虽然区块链网络不止是一个通信网络，但它依赖于PKI标准来确保不同网络参与者之间的安全通信，并确保发布在区块链上的消息得到正确的认证。因此，了解PKI的基础知识和MSP是很重要的。

There are four key elements to PKI:

• Digital Certificates
• Public and Private Keys
• Certificate Authorities
• Certificate Revocation Lists

PKI有四个关键要素：
*数字证书
*公钥和私钥
*证书颁发机构
*证书吊销列表

Let’s quickly describe these PKI basics, and if you want to know more details,Wikipedia is a good place to start.

让我们快速描述一下这些PKI基础知识，如果您想了解更多详细信息，可以从维基百科开始。

Digital Certificates

A digital certificate is a document which holds a set of attributes relating to the holder of the certificate. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure.
数字证书是一种文档，其中包含一组与证书持有人相关的属性。最常见的证书类型是符合X.509标准的证书，该标准允许对一方在在证书结构中对其标识的详细信息进行编码。

For example, Mary Morris in the Manufacturing Division of Mitchell Cars in Detroit, Michigan might have a digital certificate with a SUBJECT attribute of C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456. Mary’s certificate is similar to her government identity card — it provides information about Mary which she can use to prove key facts about her. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now.
例如，密歇根州底特律市Mitchell汽车厂制造部门的Mary Morris有一个数字证书，其SUBJECT 属性为C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456。玛丽的证书和她的政府身份证很相似，它提供了玛丽的信息，她可以用这些信息来证明关于她的关键事实。在X.509证书中还有许多其他属性，但现在我们只关注这些属性。

A digital certificate describing a party called Mary Morris. Mary is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about Mary. The certificate also holds many more pieces of information, as you can see. Most importantly, Mary’s public key is distributed within her certificate, whereas her private signing key is not. This signing key must be kept private.
描述一个叫玛丽·莫里斯的聚会的数字证书。玛丽是证书的“主题”，突出显示的“主题”文本显示了玛丽的关键事实。如您所见，证书还包含更多信息。最重要的是，玛丽的公钥分布在她的证书中，而她的私人签名密钥则不是。此签名密钥必须保密。

What is important is that all of Mary’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows Mary to present her certificate to others to prove her identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about Mary has not been tampered with — it will always have those particular attributes for Mary Morris. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change.
重要的是，Mary的所有属性都可以使用密码学的数学技术（字面意思是“加密写入”）来记录，这样篡改将使证书失效。只要另一方信任证书颁发者，即证书颁发机构（CA），密码学就使得Mary可以向其他人出示证书以证明其身份。只要CA安全地保存加密信息（即它自己的私有签名密钥），任何读取证书的人都可以确保关于Mary的信息没有被篡改—它将始终具有Mary Morris的那些特定属性。可以把玛丽的X.509证书想象成一张无法更改的数字身份证。

Authentication, Public keys, and Private Keys

Authentication and message integrity are important concepts in secure communications. Authentication requires that parties who exchange messages are assured of the identity that created a specific message. For a message to have “integrity” means that cannot have been modified during its transmission. For example, you might want to be sure you’re communicating with the real Mary Morris rather than an impersonator. Or if Mary has sent you a message, you might want to be sure that it hasn’t been tampered with by anyone else during transmission.
身份验证和消息完整性是安全通信中的重要概念。身份验证要求交换消息的各方确保创建消息的身份。具备“完整性”的消息意味着在其传输过程中无法被修改。例如，你想确定你在和真正的玛丽·莫里斯交流，而不是一个冒充者。或者，玛丽给你发了一条信息，你想确保它在传输过程中没有被其他人篡改。

Traditional authentication mechanisms rely on digital signatures that, as the name suggests, allow a party to digitally sign its messages. Digital signatures also provide guarantees on the integrity of the signed message.
传统的认证机制依赖于数字签名，顾名思义，它允许一方对其消息进行数字签名。数字签名还可以保证签名消息的完整性。

Technically speaking, digital signature mechanisms require each party to hold two cryptographically connected keys: a public key that is made widely available and acts as authentication anchor, and a private key that is used to produce digital signatures on messages. Recipients of digitally signed messages can verify the origin and integrity of a received message by checking that the attached signature is valid under the public key of the expected sender.
从技术上讲，数字签名机制要求各方持有两个密码学上关联的密钥：一个公钥被广泛使用并充当身份验证的锚，一个私钥用于在消息上生成数字签名。数字签名邮件的收件人可以通过用发件人的公钥检查所附签名是否有效来验证接收邮件的来源和完整性。

The unique relationship between a private key and the respective public key is the cryptographic magic that makes secure communications possible. The unique mathematical relationship between the keys is such that the private key can be used to produce a signature on a message that only the corresponding public key can match, and only on the same message.
私钥和相应公钥之间的唯一关系是使安全通信成为可能的加密魔法。密钥之间的唯一数学关系是，私钥可以在消息上生成只有对应的公钥可以匹配的签名，且只能在同一消息上。

In the example above, Mary uses her private key to sign the message. The signature can be verified by anyone who sees the signed message using her public key.
在上面的示例中，Mary使用她的私钥对消息签名。任何人都可以使用她的公钥来验证签名消息。

Certificate Authorities

As you’ve seen, an actor or a node is able to participate in the blockchain network, via the means of a digital identity issued for it by an authority trusted by the system. In the most common case, digital identities (or simply identities) have the form of cryptographically validated digital certificates that comply with X.509 standard and are issued by a Certificate Authority (CA).
如您所见，参与者或节点能够通过系统信任的权威机构为其颁发的数字身份参与区块链网络。在最常见的情况下，数字身份（简称身份）的形式是由证书颁发机构（CA）颁发，经过加密验证的符合X.509标准的数字证书。

CAs are a common part of internet security protocols, and you’ve probably heard of some of the more popular ones: Symantec (originally Verisign), GeoTrust, DigiCert, GoDaddy, and Comodo, among others.
CA是Internet安全协议的一个通用部分，您可能听说过这些比较常见的CA：Symantec（最初是Verisign）、GeoTrust、Digicert、Godaddy和Comodo等。

A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate.
证书颁发机构将证书分发给不同的参与者。这些证书由CA进行数字签名，并把参与者和其公钥（也可以使用完整的属性列表）绑定在一起。因此，如果信任CA（并且有其公钥），则可以通过验证CA在参与者证书上的签名，来信任证书中包含的公钥所绑定的参与者，并拥有其中属性值。

Certificates can be widely disseminated, as they do not include either the actors’ nor the CA’s private keys. As such they can be used as anchor of trusts for authenticating messages coming from different actors.
CAs also have a certificate, which they make widely available. This allows the consumers of identities issued by a given CA to verify them by checking that the certificate could only have been generated by the holder of the corresponding private key (the CA).
证书可以广泛传播，因为它们既不包括参与者的私钥，也不包括CA的私钥。因此，它们可以用作信任的锚，用于验证来自不同参与者的消息。
CA也有一个被广泛使用的证书。这允许CA颁发的身份的使用者验证证书是否是由相应私钥的持有人生成的。

In a blockchain setting, every actor who wishes to interact with the network needs an identity. In this setting, you might say that one or more CAs can be used to define the members of an organization’s from a digital perspective. It’s the CA that provides the basis for an organization’s actors to have a verifiable digital identity.
在区块链设置中，每个要与网络交互的参与者都需要一个身份。在此设置中，您会说一个或多个CA可用于从数字角度定义组织的成员。正是CA为组织的参与者提供了一个可验证的数字身份的基础。

Root CAs, Intermediate CAs and Chains of Trust

CAs come in two flavors: Root CAs and Intermediate CAs. Because Root CAs (Symantec, Geotrust, etc) have to securely distribute hundreds of millions of certificates to internet users, it makes sense to spread this process out across what are called Intermediate CAs. These Intermediate CAs have their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA not only allows the function of CAs to scale while still providing security — allowing organizations that consume certificates to use Intermediate CAs with confidence — it limits the exposure of the Root CA, which, if compromised, would endanger the entire chain of trust. If an Intermediate CA is compromised, on the other hand, there will be a much smaller exposure.
CA有两种规格：根CA和中间CA。因为根CA（Symantec、GeoTrust等）必须向互联网用户安全地分发数亿个证书，所以有必要将此过程分散到称为中间CA去。这些中间CA具有由根CA或其他中间颁发机构颁发的证书，允许为链中任何CA颁发的任何证书建立“信任链”。这种追溯到根CA的能力不仅允许CA的功能在提供安全性的同时实现扩展，使得使用证书的组织有信心使用中间CA，它还限制了根CA的暴露，如果泄露，将危及整个信任链。另一方面，如果一个中间的CA被破坏，那么暴露量会小得多。

A chain of trust is established between a Root CA and a set of Intermediate CAs as long as the issuing CA for the certificate of each of these Intermediate CAs is either the Root CA itself or has a chain of trust to the Root CA.
在一个根CA和一组中间CA之间建立一个信任链，只要这些中间CA的证书的颁发CA是根CA本身或具有到根CA的信任链。

Intermediate CAs provide a huge amount of flexibility when it comes to the issuance of certificates across multiple organizations, and that’s very helpful in a permissioned blockchain system (like Fabric). For example, you’ll see that different organizations may use different Root CAs, or the same Root CA with different Intermediate CAs — it really does depend on the needs of the network.
当涉及跨多个组织颁发证书时，中间CA提供了巨大的灵活性，这在准入制的区块链系统（如Fabric）中非常有用。例如，您将看到不同的组织可能使用不同的根CA，或者使用相同根CA的不同中间CA，这取决于网络的需要。

Fabric CA

It’s because CAs are so important that Fabric provides a built-in CA component to allow you to create CAs in the blockchain networks you form. This component — known as Fabric CA is a private root CA provider capable of managing digital identities of Fabric participants that have the form of X.509 certificates. Because Fabric CA is a custom CA targeting the Root CA needs of Fabric, it is inherently not capable of providing SSL certificates for general/automatic use in browsers. However, because some CA must be used to manage identity (even in a test environment), Fabric CA can be used to provide and manage certificates. It is also possible — and fully appropriate — to use a public/commerical root or intermediate CA to provide identification.

If you’re interested, you can read a lot more about Fabric CA in the CA documentation section.
CA如此重要，Fabric提供了一个内置的CA组件，允许您在所构成的区块链网络中创建CA。这个称为Fabric CA的组件是一个私有的根CA提供者，能够管理具有X.509证书形式的Fabric参与者的数字身份。因为Fabric CA是一个针对Fabric根CA需求的自定义CA，所以它本质上不能为浏览器中的常规/自动使用提供SSL证书。但是，由于某些CA必须用于管理身份（即使在测试环境中），因此可以使用Fabric CA提供和管理证书。使用公共/商业根目录或中间CA来提供标识也是完全没问题的。

如果您感兴趣，可以阅读更多关于Fabric CA的信息在CA文档部分。

Certificate Revocation Lists

A Certificate Revocation List (CRL) is easy to understand — it’s just a list of references to certificates that a CA knows to be revoked for one reason or another. If you recall the store scenario, a CRL would be like a list of stolen credit cards.
证书撤销列表（CRL）很容易理解——它只是一个CA知道由于某种原因被撤销的证书的列表。如果你回忆起商店场景，一个CRL就像一张被盗信用卡的列表。

When a third party wants to verify another party’s identity, it first checks the issuing CA’s CRL to make sure that the certificate has not been revoked. A verifier doesn’t have to check the CRL, but if they don’t they run the risk of accepting a compromised identity.
当第三方想要验证另一方的身份时，它首先检查颁发CA的CRL，以确保证书没有被吊销。验证者不是必须检查CRL，但是如果不检查，他们就有接受泄露身份的风险。

Using a CRL to check that a certificate is still valid. If an impersonator tries to pass a compromised digital certificate to a validating party, it can be first checked against the issuing CA’s CRL to make sure it’s not listed as no longer valid.
使用CRL检查证书是否仍然有效。如果模拟者试图将损坏的数字证书传递给验证方，则可以首先根据颁发CA的CRL对其进行检查，以确保该证书未被列为失效。

Note that a certificate being revoked is very different from a certificate expiring. Revoked certificates have not expired — they are, by every other measure, a fully valid certificate. For more in-depth information about CRLs, click here.
请注意，被吊销的证书与过期的证书非常不同。被吊销的证书并未过期，在其他方法下，它们是完全有效的证书。有关CRL的详细信息，请单击此处。

Now that you’ve seen how a PKI can provide verifiable identities through a chain of trust, the next step is to see how these identities can be used to represent the trusted members of a blockchain network. That’s where a Membership Service Provider (MSP) comes into play — it identifies the parties who are the members of a given organization in the blockchain network.
既然您已经了解了PKI如何通过信任链提供可验证的身份，那么下一步就是了解如何使用这些身份来表示区块链网络的受信任成员。现在会员服务提供商（MSP）开始发挥作用—它标识了区块链网络中特定组织的成员。

To learn more about membership, check out the conceptual documentation on MSPs.
要了解更多关于成员身份的信息，请查看[MSPs](https://hyperledger fabric.readthedocs.io/en/release-1.4/membership/membership.html)上的概念文档。