Analysis of information sources in references of the Wikipedia article "根证书" in Chinese language version.
Essentially, both Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted "root" digital certificates. Any digital signature created with a credential that can trace a relationship ("chain") back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader.
Adobe is delighted to announce the completion of our work to support and integrate the EU Trusted Lists (EUTL) into Adobe Acrobat and Acrobat Reader. For the first time, citizens, governments and businesses across the world will have easy access to electronically signed documents based on EU qualified certificates in the ubiquitous Adobe Acrobat and Acrobat Reader software.
Apple uses public key infrastructure (PKI) to secure and enhance the experience for Apple users. Apple products, including our web browser Safari and Mail.app, use a common store for root certificates. Apple requires root certification authorities to meet certain criteria[...]
A Key Ceremony is only required when your organisation wishes to achieve your own independent root, or intermediate, Certificate Authority. This typically occurs where an organisation wants to create and own its own Root CA for reasons relating to compliance to specific standards (e.g. ISO 27001, WebTrust, EU Qualified Certificates, etc). A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on your requirements and specifications, the generation of the Root Keys may require notarisation, legal representation, witnesses and "Key Holders" to be present
Under the Regulation (EC) No 910/2014/EU (eIDAS Regulation), national Trusted Lists have a constitutive effect. In other words, a trust service provider and the trust services it provides will be qualified only if it appears in the Trusted Lists. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the Trusted Lists.
A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
Enterprises can easily push out the necessary IntranetSSL non-public roots to their users via Group Policy Object (GPO), or other centralized management system which will make the IntranetSSL certificates trusted by their user community.
香港郵政在二零零零年成立香港第一家在《電子交易條例》(香港法例第553章)下的認可公共核證機關。現時,香港郵政核證機關發出符合電子交易條例要求的「認可數碼證書」。根據《電子交易條例》,使用該條例下認可的數碼證書作出的數碼簽署與書面的簽署具同等法律效力。
all of the end entities and relying parties use a single "Root CA" as their trust anchor. If the hierarchy has multiple levels, the Root CA certifies the public keys of intermediate CAs (also known as subordinate CAs). These CAs then certify end entities' (subscribers') public keys or may, in a large PKI, certify other CAs.
SSL forward proxy is a transparent proxy; that is, it performs SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence. SSL forward proxy ensures that it has the keys to encrypt and decrypt the payload
The Microsoft Trusted Root Certificate Program ("Program") supports the distribution of qualifying root certificates in Microsoft Windows and other Microsoft Products and Services.
某些組織可能會想要管理憑證信任,並避免網域中的使用者設定自己的信任根憑證集。此外,某些組織在需要額外信任關係的狀況下,會需要識別並分送特定的信任根憑證,以符合業務所需。
這份文件提供的指示可幫助您建立企業根 CA、使用憑證範本啟用自動註冊、為無線使用者建立自動註冊。您可以學到如何執行下列工作:安裝及設定企業根 CA。
This page describes how to change the default root certificate trust settings in Mozilla products, including Firefox and Thunderbird. [...] Some browsers only display the root certificates that the user has actually used, and dynamically download new ones on demand. However, Mozilla believes it is important for users to know the root certificates that could be used, so the full set of certificates is always shown. This also allows you to edit the trust bits for any root certificates that you do not want to use.
When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla includes with such software a set of X.509v3 root certificates for various Certification Authorities (CAs). The included certificates have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to anchor a chain of trust for certificates used by SSL servers and S/MIME email users without having to ask users for further permission or information.
警告: 您永遠不該為合法的主要網站或金融交易網站增加憑證例外 - 此時無效的憑證可能表示您的連線正受到第三方的危害。如果允許,您可以增加例外以造訪網站,雖然它的憑證預設是不受信任的:在警告網頁,點擊 進階。點擊 增加例外…。將顯示 增加安全例外 對話框。閱讀敘述網站問題的文字。您可以點擊 檢視… 來更精確的檢視此不受信任的憑證。如果您確認您想信任些網站,點擊 確認安全例外。
核證機關在確保公開密碼匙基礎建設的有效運作方面擔當重要角色,並作為可信賴的第三方,負責證明電子交易所涉及有關各方的身分。目前,香港有兩間根據《電子交易條例》(第553章)獲得認可的核證機關。根據《電子交易條例》,郵政署署長是認可核證機關,提供香港郵政核證機關服務,而電子核證服務有限公司則是根據《電子交易條例》下核證機關自願認可計劃獲得認可的商營核證機關。
政府於2000年1月制定《電子交易條例》(第553章)(「條例」),並於2004年6月作出修訂。大體上,條例旨在:賦予電子紀錄及電子簽署(請看下文的註釋1)跟紙張文件上的紀錄和簽署同等的法律地位;以及設立核證機關自願認可計劃以加強社會人士對電子交易的信心。(註釋1︰就不涉及政府單位的電子交易而言,任何形式的電子簽署,只要可靠恰當並獲簽署的接受人認同,已能符合法律有關簽署的規定。就涉及政府單位的電子交易而言,有認可數碼證書證明的數碼簽署,便符合法律上的簽署規定。)
In order to protect Oracle's Java SE customers from security issues related to the use of public key infrastructure (PKI) certificates while enhancing their overall experience, Oracle requires that all root certificates authorities meet the following criteria before applying for inclusion of their root certificates in Oracle’s Java Runtime Environment (JRE).
The firewall uses certificates to establish itself as a trusted third party to the session between the client and the server [...] When the client initiates an SSL session with the server, the firewall intercepts the client SSL request and forwards the SSL request to the server. The server returns a certificate intended for the client that is intercepted by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server certificate signs it with the firewall Forward Trust certificate and sends the certificate to the client [...] When the client authenticates the certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the site that the client is accessing. As the firewall continues to receive SSL traffic from the server that is destined for the client, it decrypts the SSL traffic into clear text traffic and applies decryption and security profiles to the traffic. The traffic is then re-encrypted on the firewall and the firewall forwards the encrypted traffic to the client.
The Google Public Key Infrastructure (“Google PKI”), has been established by Google Trust Services, LLC (“Google”), to enable reliable and secure identity authentication, and to facilitate the preservation of confidentiality and integrity of data in electronic transactions.
In this configuration, the proxy is performing what in another context would be considered a man-in-the-middle attack. The client is completely unaware that somewhere their traffic is being sent is posing as the destination, decrypting their communication, and re-encrypting it to send to the real target server. Responses are captured on-the-fly as well, and sent back to the origin server. [...] It presents a certificate valid for any domain that it generates as requests hit it in real time, and because the client needs to be configured to trust the same root CA certificate the proxy uses, will allow the connection. (Remember, any certificate trusted as a root certificate can sign valid certificates for any and all domains and paths, not just its own.)
For extra recovery, the CA is often split into a long-lived root CA which is kept offline, and a short-lived intermediate CA. Both machines are in the cage and bunker; the root CA is never connected to a network. The root CA is physically accessed, with dual control (at least two people together, and video recording) on a regular basis, to emit the certificate for the intermediate CA
香港郵政在二零零零年成立香港第一家在《電子交易條例》(香港法例第553章)下的認可公共核證機關。現時,香港郵政核證機關發出符合電子交易條例要求的「認可數碼證書」。根據《電子交易條例》,使用該條例下認可的數碼證書作出的數碼簽署與書面的簽署具同等法律效力。
The Google Public Key Infrastructure (“Google PKI”), has been established by Google Trust Services, LLC (“Google”), to enable reliable and secure identity authentication, and to facilitate the preservation of confidentiality and integrity of data in electronic transactions.
A Key Ceremony is only required when your organisation wishes to achieve your own independent root, or intermediate, Certificate Authority. This typically occurs where an organisation wants to create and own its own Root CA for reasons relating to compliance to specific standards (e.g. ISO 27001, WebTrust, EU Qualified Certificates, etc). A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on your requirements and specifications, the generation of the Root Keys may require notarisation, legal representation, witnesses and "Key Holders" to be present
When distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software products, Mozilla includes with such software a set of X.509v3 root certificates for various Certification Authorities (CAs). The included certificates have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to anchor a chain of trust for certificates used by SSL servers and S/MIME email users without having to ask users for further permission or information.
Apple uses public key infrastructure (PKI) to secure and enhance the experience for Apple users. Apple products, including our web browser Safari and Mail.app, use a common store for root certificates. Apple requires root certification authorities to meet certain criteria[...]
In order to protect Oracle's Java SE customers from security issues related to the use of public key infrastructure (PKI) certificates while enhancing their overall experience, Oracle requires that all root certificates authorities meet the following criteria before applying for inclusion of their root certificates in Oracle’s Java Runtime Environment (JRE).
Essentially, both Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted "root" digital certificates. Any digital signature created with a credential that can trace a relationship ("chain") back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader.
Adobe is delighted to announce the completion of our work to support and integrate the EU Trusted Lists (EUTL) into Adobe Acrobat and Acrobat Reader. For the first time, citizens, governments and businesses across the world will have easy access to electronically signed documents based on EU qualified certificates in the ubiquitous Adobe Acrobat and Acrobat Reader software.
Under the Regulation (EC) No 910/2014/EU (eIDAS Regulation), national Trusted Lists have a constitutive effect. In other words, a trust service provider and the trust services it provides will be qualified only if it appears in the Trusted Lists. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the Trusted Lists.
A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
核證機關在確保公開密碼匙基礎建設的有效運作方面擔當重要角色,並作為可信賴的第三方,負責證明電子交易所涉及有關各方的身分。目前,香港有兩間根據《電子交易條例》(第553章)獲得認可的核證機關。根據《電子交易條例》,郵政署署長是認可核證機關,提供香港郵政核證機關服務,而電子核證服務有限公司則是根據《電子交易條例》下核證機關自願認可計劃獲得認可的商營核證機關。
政府於2000年1月制定《電子交易條例》(第553章)(「條例」),並於2004年6月作出修訂。大體上,條例旨在:賦予電子紀錄及電子簽署(請看下文的註釋1)跟紙張文件上的紀錄和簽署同等的法律地位;以及設立核證機關自願認可計劃以加強社會人士對電子交易的信心。(註釋1︰就不涉及政府單位的電子交易而言,任何形式的電子簽署,只要可靠恰當並獲簽署的接受人認同,已能符合法律有關簽署的規定。就涉及政府單位的電子交易而言,有認可數碼證書證明的數碼簽署,便符合法律上的簽署規定。)
依法令規定應簽名或蓋章者,經相對人同意,得以電子簽章為之。
某些組織可能會想要管理憑證信任,並避免網域中的使用者設定自己的信任根憑證集。此外,某些組織在需要額外信任關係的狀況下,會需要識別並分送特定的信任根憑證,以符合業務所需。
This page describes how to change the default root certificate trust settings in Mozilla products, including Firefox and Thunderbird. [...] Some browsers only display the root certificates that the user has actually used, and dynamically download new ones on demand. However, Mozilla believes it is important for users to know the root certificates that could be used, so the full set of certificates is always shown. This also allows you to edit the trust bits for any root certificates that you do not want to use.
這份文件提供的指示可幫助您建立企業根 CA、使用憑證範本啟用自動註冊、為無線使用者建立自動註冊。您可以學到如何執行下列工作:安裝及設定企業根 CA。
Enterprises can easily push out the necessary IntranetSSL non-public roots to their users via Group Policy Object (GPO), or other centralized management system which will make the IntranetSSL certificates trusted by their user community.
The firewall uses certificates to establish itself as a trusted third party to the session between the client and the server [...] When the client initiates an SSL session with the server, the firewall intercepts the client SSL request and forwards the SSL request to the server. The server returns a certificate intended for the client that is intercepted by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server certificate signs it with the firewall Forward Trust certificate and sends the certificate to the client [...] When the client authenticates the certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the site that the client is accessing. As the firewall continues to receive SSL traffic from the server that is destined for the client, it decrypts the SSL traffic into clear text traffic and applies decryption and security profiles to the traffic. The traffic is then re-encrypted on the firewall and the firewall forwards the encrypted traffic to the client.
SSL forward proxy is a transparent proxy; that is, it performs SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence. SSL forward proxy ensures that it has the keys to encrypt and decrypt the payload
In this configuration, the proxy is performing what in another context would be considered a man-in-the-middle attack. The client is completely unaware that somewhere their traffic is being sent is posing as the destination, decrypting their communication, and re-encrypting it to send to the real target server. Responses are captured on-the-fly as well, and sent back to the origin server. [...] It presents a certificate valid for any domain that it generates as requests hit it in real time, and because the client needs to be configured to trust the same root CA certificate the proxy uses, will allow the connection. (Remember, any certificate trusted as a root certificate can sign valid certificates for any and all domains and paths, not just its own.)
中間憑證為我們根憑證的替身。由於我們必須將我們的根憑證置於數層安全防護之後,因此我們利用中間憑證作為 proxy,確保根憑證的密鑰絕對無法被存取。但是,由於根憑證本身簽署了中間憑證,中間憑證可以被用來簽署我們的客戶安裝與維護的「信任連鎖」 SSL。
For extra recovery, the CA is often split into a long-lived root CA which is kept offline, and a short-lived intermediate CA. Both machines are in the cage and bunker; the root CA is never connected to a network. The root CA is physically accessed, with dual control (at least two people together, and video recording) on a regular basis, to emit the certificate for the intermediate CA
