重新审视BetterTLS:证书路径构建
By Ian Haken
作者 伊恩-哈肯
Last year the AddTrust root certificate expired and lots of clients had a bad time. Some Roku devices weren’t working right, Heroku had problems, and some folks couldn’t even curl. In the aftermath Ryan Sleevi wrote a really great blog post not just about the issue of this one certificate’s expiry, but the problem that so many TLS implementations have in general with certificate path building. If you haven’t read that blog post, you should. This post is probably going to make a lot more sense if you’ve read that one first, so go ahead and read it now.
去年,AddTrust的根证书过期了,很多客户遇到了麻烦。一些Roku设备不能正常工作,Heroku也有问题,有些人甚至不能使用Curl。在这之后,Ryan Sleevi写了一篇非常好的博文,不仅仅是关于这个证书过期的问题,而是关于许多TLS实现在证书路径构建方面的问题。如果你还没有读过那篇博文,你应该读一读。如果你先读过那篇博文,这篇文章可能会更有意义,所以现在就去读吧。
To recap that previous AddTrust root certificate expiry, there was a certificate graph that looked like this:
回顾一下之前AddTrust根证书的到期情况,有一个证书图,看起来是这样的。
The AddTrust certificate graph
AddTrust证书图
This is a real example, and you can see the five certificates in the above graph here:
这是一个真实的例子,你可以在这里看到上图中的五个证书。
The important thing to understand about a certificate graph is that the boxes represent entities (meaning an X.500 Distinguished Name and public key). Entities are things you trust (or don’t, as the case may be). The arrows between entities represent certificates: a way to extend trust from one entity to another. This means that if you trust either the “USERTrust RSA Certification Authority” entity or the “AddTrust External CA Root” entity, you should be able to discover a chain of trust from that trusted entity (the “trust anchor”) down to “www.agwa.name”, the “end-entity”.
关于证书图,需要理解的重要事情是,方框代表实体(指X.500区分名称和公开密钥)。实体是你信任(或不信任,视情况而定)的东西。实体之间的箭头代表证书:一种将信任从一个实体扩展到另一个实体的方式。这意味着,如果你信任 "USERTrust RSA认证机构 "实体或 "AddTrust外部CA根 "实体,你应该能够发现从该受信任实体("信任锚")到 "www.agwa.name"("终端实体")的信任链。
(Note that the self-signed certificates (4 and 5) are often useful for defining trusted entities, but aren’t going to be important in the context of path building.)
(请注意,自签证书(4和5)通常对定义可信实体很有...