身份（Identity）

什麼是身份（What is an Identity）?

The different actors in a blockchain network include peers, orderers, client applications, administrators and more. Each of these actors — active elements inside or outside a network able to consume services — has a digital identity encapsulated in an X.509 digital certificate. These identities really matter because they determine the exact permissions over resources and access to information that actors have in a blockchain network

. 區塊鏈網路中的不同參與者包括對等節點、排序節點、客戶端應用程式、管理員等。 這些參與者中的每一個 — 網路內部或外部能夠使用服務的活動元素 — 都具有封裝在X.509數字證書中的數字身份。 這些身份確實很重要，因為它們確定了資源的確切許可權，以及訪問區塊鏈網路中參與者資訊的確切許可權。

A digital identity furthermore has some additional attributes that Fabric uses to determine permissions, and it gives the union of an identity and the associated attributes a special name — principal

. Principals are just like userIDs or groupIDs, but a little more flexible because they can include a wide range of properties of an actor’s identity, such as the actor’s organization, organizational unit, role or even the actor’s specific identity. When we talk about principals, they are the properties which determine their permissions. 此外，數字身份還具有Fabric用於確定許可權的一些附加屬性，並且它為身份和關聯屬性的合集提供了一個特殊名稱 — ** 主體（principal） **。 主體就像userIDs或groupIDs，但更靈活一點，因為它們可以包含參與者身份的各種屬性，例如參與者的組織、部門、角色甚至是參與者的特殊身份。 當我們談論主體時，它們是決定其許可權的屬性。

For an identity to be verifiable, it must come from a trusted authority. A membership service provider (MSP) is how this is achieved in Fabric. More specifically, an MSP is a component that defines the rules that govern the valid identities for this organization. The default MSP implementation in Fabric uses X.509 certificates as identities, adopting a traditional Public Key Infrastructure (PKI) hierarchical model (more on PKI later). 對於可驗證的身份，它必須來自受信任的機構。 會員服務提供者（MSP）是Fabric用來實現這個的。 更具體地說，MSP是定義管理該組織的有效身份規則的元件。Fabric中的預設MSP實現使用X.509證書作為身份，採用傳統的公鑰基礎設施（PKI）分層模型（稍後將詳細介紹PKI）。

一個簡單的場景來解釋身份的使用（A Simple Scenario to Explain the Use of an Identity）

Imagine that you visit a supermarket to buy some groceries. At the checkout you see a sign that says that only Visa, Mastercard and AMEX cards are accepted. If you try to pay with a different card — let’s call it an “ImagineCard” — it doesn’t matter whether the card is authentic and you have sufficient funds in your account. It will be not be accepted. 想象一下，你去超市購買一些雜貨。 在結賬時，您會看到一個標誌，表示只接受Visa、Mastercard和AMEX卡。 如果您嘗試使用其他卡付款 - 我們稱之為“ImagineCard” - 無論該卡是否真實且您的帳戶中有足夠的資金都無關緊要。 它不會被接受。

Having a valid credit card is not enough — it must also be accepted by the store! PKIs and MSPs work together in the same way — a PKI provides a list of identities, and an MSP says which of these are members of a given organization that participates in the network. 擁有有效的信用卡是不夠的 - 它也必須被商店接受！ PKI和MSP以相同的方式協同工作 - PKI提供身份列表，MSP說這些是參與網路的特定組織的成員。

PKI certificate authorities and MSPs provide a similar combination of functionalities. A PKI is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, is like the list of card providers accepted by the store, determining which identities are the trusted members (actors) of the store payment network. MSPs turn verifiable identities into the members of a blockchain network. PKI證書頒發機構和MSP提供了類似的功能組合。 PKI就像一個卡提供商 - 它分配了許多不同型別的可驗證身份。 另一方面，MSP類似於商店接受的卡提供商列表，確定哪些身份是商店支付網路的可信成員（參與者）。 ** MSP將可驗證的身份轉變為區塊鏈網路的成員**。

Let’s drill into these concepts in a little more detail. 讓我們更詳細地深入研究這些概念。

什麼是公鑰基礎設施（What are PKIs）?

A public key infrastructure (PKI) is a collection of internet technologies that provides secure communications in a network. It’s PKI that puts the S in HTTPS — and if you’re reading this documentation on a web browser, you’re probably using a PKI to make sure it comes from a verified source. 公鑰基礎設施（PKI）是一組網際網路技術，可在網路中提供安全通訊。 PKI將** 安全（S） 置於 HTTPS ** - 如果你正在閱讀此文件在Web瀏覽器上，您可能正在使用PKI來確保它來自經過驗證的源。

The elements of Public Key Infrastructure (PKI). A PKI is comprised of Certificate Authorities who issue digital certificates to parties (e.g., users of a service, service provider), who then use them to authenticate themselves in the messages they exchange with their environment. A CA’s Certificate Revocation List (CRL) constitutes a reference for the certificates that are no longer valid. Revocation of a certificate can happen for a number of reasons. For example, a certificate may be revoked because the cryptographic private material associated to the certificate has been exposed. 公鑰基礎設施（PKI）的要素。 PKI由向各方（例如服務的使用者、服務提供者）釋出數字證書的證書頒發機構組成，各方使用CA在他們環境交換的訊息中對自己進行認證。 CA的證書撤銷列表（CRL）構成不再有效的證書的參考。 證書的撤銷可能由於多種原因而發生。 例如，證書可能會因為與證書關聯的加密私有材料已被暴露而被撤銷。

Although a blockchain network is more than a communications network, it relies on the PKI standard to ensure secure communication between various network participants, and to ensure that messages posted on the blockchain are properly authenticated. It’s therefore important to understand the basics of PKI and then why MSPs are so important. 雖然區塊鏈網路不僅僅是一個通訊網路，但它依賴於PKI標準來確保各個網路參與者之間的安全通訊，並確保在區塊鏈上釋出的訊息得到正確的認證。 因此，瞭解PKI的基礎知識是非常重要的，以及知道為什麼MSP如此重要。

There are four key elements to PKI: PKI有四個關鍵要素：

• Digital Certificates 數字證書
• Public and Private Keys 公鑰和私鑰
• Certificate Authorities 證書頒發機構
• Certificate Revocation Lists 證書撤銷清單 Let’s quickly describe these PKI basics, and if you want to know more details, Wikipedia is a good place to start. 讓我們快速描述這些PKI基礎知識，如果您想了解更多細節，維基百科是一個很好的起點。

數字證書（Digital Certificates）

A digital certificate is a document which holds a set of attributes relating to the holder of the certificate. The most common type of certificate is the one compliant with the X.509 standard, which allows the encoding of a party’s identifying details in its structure. 數字證書是包含與證書持有者有關的一組屬性的文件。 最常見的證書型別是符合X.509標準的證書，它允許在其結構中編碼當事人的識別細節。

For example, Mary Morris in the Manufacturing Division of Mitchell Cars in Detroit, Michigan might have a digital certificate with a SUBJECT attribute of C=US, ST=Michigan, L=Detroit, O=Mitchell Cars, OU=Manufacturing, CN=Mary Morris /UID=123456. Mary’s certificate is similar to her government identity card — it provides information about Mary which she can use to prove key facts about her. There are many other attributes in an X.509 certificate, but let’s concentrate on just these for now. 例如，位於密歇根州底特律的Mitchell汽車製造部門的Mary Morris可能擁有SUBJECT屬性為C=US、ST=Michigan、L=Detroit、O=Mitchell Cars、OU=Manufacturing、CN=Mary Morris/UID=123456 的數字證書。她的證書類似於她的政府身份證 - 它提供了Mary的資訊，她可以用來證明關於她的重要事實。 X.509證書中還有許多其他屬性，但現在讓我們專注於這些。

A digital certificate describing a party called Mary Morris. Mary is the SUBJECT of the certificate, and the highlighted SUBJECT text shows key facts about Mary. The certificate also holds many more pieces of information, as you can see. Most importantly, Mary’s public key is distributed within her certificate, whereas her private signing key is not. This signing key must be kept private. 描述一個名為Mary Morris的當事人數字證書。 Mary是證書的SUBJECT，突出顯示的SUBJECT文字顯示了關於Mary的重要事實。 如您所見，證書還包含更多資訊。 最重要的是，Mary的公鑰是隨著她的證書中分發的，而她的私鑰則不是。 私鑰必須保密。

What is important is that all of Mary’s attributes can be recorded using a mathematical technique called cryptography (literally, “secret writing”) so that tampering will invalidate the certificate. Cryptography allows Mary to present her certificate to others to prove her identity so long as the other party trusts the certificate issuer, known as a Certificate Authority (CA). As long as the CA keeps certain cryptographic information securely (meaning, its own private signing key), anyone reading the certificate can be sure that the information about Mary has not been tampered with — it will always have those particular attributes for Mary Morris. Think of Mary’s X.509 certificate as a digital identity card that is impossible to change. 重要的是，瑪麗的所有屬性都可以使用稱為密碼學（字面意思，“祕密寫作”）的數學技術進行記錄，這樣篡改將使證書無效。 只要對方信任證書頒發者（稱為證書頒發機構（CA）），密碼學就允許Mary將證書呈現給其他人以證明其身份。 只要CA安全地儲存某些加密資訊（意思是，它自己的私鑰），任何閱讀證書的人都可以確定關於Mary的資訊沒有被篡改 - 它將始終具有Mary Morris的那些特定屬性。將Mary的X.509證書視為無法改變的數字身份證。

身份驗證、公鑰和私鑰（Authentication, Public keys, and Private Keys）

Authentication and message integrity are important concepts in secure communications. Authentication requires that parties who exchange messages are assured of the identity that created a specific message. For a message to have “integrity” means that cannot have been modified during its transmission. For example, you might want to be sure you’re communicating with the real Mary Morris rather than an impersonator. Or if Mary has sent you a message, you might want to be sure that it hasn’t been tampered with by anyone else during transmission. 身份驗證和訊息完整性是安全通訊中的重要概念。 身份驗證要求交換訊息的各方確保建立特定訊息的身份。 對於具有“完整性”的訊息意味著在其傳輸期間不能被修改。 例如，您可能希望確保與真正的Mary Morris而不是模仿者進行溝通。 或者，如果Mary向您傳送了一條訊息，您可能希望確保其在傳輸過程中沒有被其他任何人篡改過。

Traditional authentication mechanisms rely on digital signatures that, as the name suggests, allow a party to digitally sign its messages. Digital signatures also provide guarantees on the integrity of the signed message. 傳統的身份驗證機制依賴於數字簽名，顧名思義，它允許一方以數字方式簽署其訊息。 數字簽名還可以保證簽名訊息的完整性。

Technically speaking, digital signature mechanisms require each party to hold two cryptographically connected keys: a public key that is made widely available and acts as authentication anchor, and a private key that is used to produce digital signatures on messages. Recipients of digitally signed messages can verify the origin and integrity of a received message by checking that the attached signature is valid under the public key of the expected sender. 從技術上講，數字簽名機制要求每一方保留兩個關聯的金鑰：廣泛可用的公鑰充當認證的靠山，以及用於在訊息上生成數字簽名的私鑰。 數字簽名訊息的接收者可以在預期傳送者的公鑰下通過檢查附加簽名是否有效來驗證被接收訊息的來源和完整性。

The unique relationship between a private key and the respective public key is the cryptographic magic that makes secure communications possible. The unique mathematical relationship between the keys is such that the private key can be used to produce a signature on a message that only the corresponding public key can match, and only on the same message. 私鑰和相應公鑰之間的唯一關係是使安全通訊成為可能的加密魔法。金鑰之間的唯一數學關係使得私鑰可用於在訊息上產生簽名。 只有相應的公鑰才能匹配，並且只能在同一條訊息上匹配。

In the example above, Mary uses her private key to sign the message. The signature can be verified by anyone who sees the signed message using her public key. 在上面的示例中，Mary使用她的私鑰對郵件進行簽名。 任何使用她的公鑰檢視簽名訊息的人都可以驗證簽名。

證書頒發機構（Certificate Authorities）

As you’ve seen, an actor or a node is able to participate in the blockchain network, via the means of a digital identity issued for it by an authority trusted by the system. In the most common case, digital identities (or simply identities) have the form of cryptographically validated digital certificates that comply with X.509 standard and are issued by a Certificate Authority (CA). 如你所見，參與者或節點能夠通過由系統信任的機構為其釋出的數字身份參與區塊鏈網路。 在最常見的情況下，數字身份（或簡稱身份）具有符合X.509標準並由證書頒發機構（CA）頒發的經加密驗證的數字證書的形式。

CAs are a common part of internet security protocols, and you’ve probably heard of some of the more popular ones: Symantec (originally Verisign), GeoTrust, DigiCert, GoDaddy, and Comodo, among others. CA是網際網路安全協議的常見部分，您可能已經聽說過一些比較流行的協議：Symantec（最初是Verisign）、GeoTrust、DigiCert、GoDaddy和Comodo等。

A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate. 證書頒發機構向不同的參與者分發證書。 這些證書由CA進行數字簽名，並將參與者與其公鑰繫結在一起（並且具有可選地全面屬性列表）。 因此，如果一個人信任CA（並且知道其公鑰），則可以信任特定參與者繫結到證書中包含的公鑰，並通過驗證參與者證書上的CA簽名來擁有所包含的屬性。。

Certificates can be widely disseminated, as they do not include either the actors’ nor the CA’s private keys. As such they can be used as anchor of trusts for authenticating messages coming from different actors. 證書可以廣泛傳播，因為它們既不包括參與者也不包括CA的私鑰。 因此，它們可以用作信任的靠山，用於驗證來自不同參與者的訊息。

CAs also have a certificate, which they make widely available. This allows the consumers of identities issued by a given CA to verify them by checking that the certificate could only have been generated by the holder of the corresponding private key (the CA). CA也有一個證書，它們可以廣泛獲得。 這允許CA釋出身份的消費者，通過檢查他們的證書（只能由相應私鑰的持有者（即CA）生成）來驗證CA自身的證書。

In a blockchain setting, every actor who wishes to interact with the network needs an identity. In this setting, you might say that one or more CAs can be used to define the members of an organization’s from a digital perspective. It’s the CA that provides the basis for an organization’s actors to have a verifiable digital identity. 在區塊鏈設定中，希望在網路互動的每個參與者都需要一個身份。 在此設定中，您可能會說一個或多個CA 可用於從數字角度定義組織成員。 CA是為組織的參與者提供可驗證的數字身份的基礎。

根CA、中間CA和信任鏈（Root CAs, Intermediate CAs and Chains of Trust）

CAs come in two flavors: Root CAs and Intermediate CAs. Because Root CAs (Symantec, Geotrust, etc) have to securely distribute hundreds of millions of certificates to internet users, it makes sense to spread this process out across what are called Intermediate CAs. These Intermediate CAs have their certificates issued by the root CA or another intermediate authority, allowing the establishment of a “chain of trust” for any certificate that is issued by any CA in the chain. This ability to track back to the Root CA not only allows the function of CAs to scale while still providing security — allowing organizations that consume certificates to use Intermediate CAs with confidence — it limits the exposure of the Root CA, which, if compromised, would endanger the entire chain of trust. If an Intermediate CA is compromised, on the other hand, there will be a much smaller exposure. CA有兩種形式：根CA 和中間CA 。 由於根CA（賽門鐵克、Geotrust等）必須向網際網路使用者安全地分發數億個證書，因此將此過程分散到所謂的中間CA中是有道理的。 這些中間CA具有由根CA或其他中間機構頒發的證書，允許為鏈中的任何CA頒發的任何證書建立“信任鏈”。 追溯到根CA的這種能力不僅允許CA的功能在仍然提供安全性的同時進行擴充套件 - 允許使用證書的組織充滿信心地使用中間CA–它限制了根CA的暴露，如果根CA受到損害，將會危及整個信任鏈。 另一方面，如果中級CA受到損害，則曝光量會小得多。

A chain of trust is established between a Root CA and a set of Intermediate CAs as long as the issuing CA for the certificate of each of these Intermediate CAs is either the Root CA itself or has a chain of trust to the Root CA. 只要每個中間CA的證書頒發機構是根CA本身或具有對根CA的信任鏈，就可以在根CA和一組中間CA之間建立信任鏈。

Intermediate CAs provide a huge amount of flexibility when it comes to the issuance of certificates across multiple organizations, and that’s very helpful in a permissioned blockchain system (like Fabric). For example, you’ll see that different organizations may use different Root CAs, or the same Root CA with different Intermediate CAs — it really does depend on the needs of the network. 中間CA在跨多個組織頒發證書時提供了巨大的靈活性，這在要許可的區塊鏈系統（如Fabric）中非常有用。 例如，您將看到不同的組織可能使用不同的根CA，或者使用具有不同中間CA的相同根CA - 它確實取決於網路的需求。

Fabric CA

It’s because CAs are so important that Fabric provides a built-in CA component to allow you to create CAs in the blockchain networks you form. This component — known as Fabric CA is a private root CA provider capable of managing digital identities of Fabric participants that have the form of X.509 certificates. Because Fabric CA is a custom CA targeting the Root CA needs of Fabric, it is inherently not capable of providing SSL certificates for general/automatic use in browsers. However, because some CA must be used to manage identity (even in a test environment), Fabric CA can be used to provide and manage certificates. It is also possible — and fully appropriate — to use a public/commerical root or intermediate CA to provide identification. 因為CA非常重要，Fabric提供了一個內建的CA元件，允許你在你構建的區塊鏈網路中建立CA。此元件（稱為** Fabric CA ）是一個私有根CA提供者，能夠管理具有X.509證書形式的Fabric參與者的數字身份。 由於Fabric CA是針對Fabric的根CA需求的自定義CA，因此它本身無法為瀏覽器中的常規/自動使用提供SSL證書。 但是，因為必須使用某些** CA來管理身份（即使在測試環境中），Fabric CA也可用於提供和管理證書。 使用公共/商業根或中間CA來提供識別也是可能的 - 並且完全合適。

If you’re interested, you can read a lot more about Fabric CA in the CA documentation section. 如果你有興趣，可以閱讀更多關於Fabric CA 在CA文件部分的內容。

證書撤銷列表（Certificate Revocation Lists）

A Certificate Revocation List (CRL) is easy to understand — it’s just a list of references to certificates that a CA knows to be revoked for one reason or another. If you recall the store scenario, a CRL would be like a list of stolen credit cards. 證書撤銷列表（CRL）很容易理解 - 它只是CA知道由於某種原因而被撤銷的證書的引用列表。 如果您回想一下商店場景，CRL就像被盜信用卡列表一樣。

When a third party wants to verify another party’s identity, it first checks the issuing CA’s CRL to make sure that the certificate has not been revoked. A verifier doesn’t have to check the CRL, but if they don’t they run the risk of accepting a compromised identity. 當第三方想要驗證另一方的身份時，它首先檢查頒發CA的CRL以確保證書尚未被撤銷。 驗證者不是必須檢查CRL，但如果不檢查，則他們將冒著接受受損身份的風險。

Using a CRL to check that a certificate is still valid. If an impersonator tries to pass a compromised digital certificate to a validating party, it can be first checked against the issuing CA’s CRL to make sure it’s not listed as no longer valid. 使用CRL檢查證書是否仍然有效。如果模仿者試圖將受損的數字證書傳遞給驗證方，則驗證方可以先針對頒發CA的CRL進行檢查，以確保其未列為不再有效。

Note that a certificate being revoked is very different from a certificate expiring. Revoked certificates have not expired — they are, by every other measure, a fully valid certificate. For more in-depth information about CRLs, click here. 請注意，證書被撤銷與證書過期非常不同。撤銷的證書尚未過期 - 按其他措施，它們是完全有效的證書。有關CRL的更深入資訊，請單擊這裡.

Now that you’ve seen how a PKI can provide verifiable identities through a chain of trust, the next step is to see how these identities can be used to represent the trusted members of a blockchain network. That’s where a Membership Service Provider (MSP) comes into play — it identifies the parties who are the members of a given organization in the blockchain network. 現在您已經瞭解了PKI如何通過信任鏈提供可驗證的身份，下一步是瞭解如何使用這些身份來代表區塊鏈網路的可信成員。這就是會員服務提供者（MSP）發揮作用的地方 - 它識別了區塊鏈網路中特定組織的各個成員。

To learn more about membership, check out the conceptual documentation on MSPs. 要了解有關成員資格的更多資訊，請檢視MSPs的概念文件。