September 2021
Beginner to intermediate
392 pages
12h 13m
Chinese
book
Google系统架构解密: 构建安全可靠的系统
by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield
Content preview from Google系统架构解密: 构建安全可靠的系统
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
案例分析:设计、实现和维护一个受信任的公共
CA
|
165
11.3
自建还是购买
CA
当
Google
决定自营受信任的公共
CA
时,我们需要考虑究竟是购买商用软件,还是自行编
写软件实现。最终,我们决定自行开发
CA
的核心部分
,等到有需要的时候再集成开源和
商用方案。这样的决定考虑了许多因素,其中最主要的几个列举如下。
透明度和有效性
作为重要的基础设施,
CA
的商
业解决方案在代码或供应链可审计性方面,往往达不到
我们想要的效果。即使研发自己的
CA
系统需要集成开源库和使用第三方代码
,这样做
也让我们心里更有底。
集成能力
通过集成
Google
安全关键基础设施
,我们希望简化
CA
的开发和维护。例如,可以通
过添加一行配置,在
Spanner
系统中建立起定期备份机制。
灵活性
社区有一系列提案能增强互联网生态的安全性。有两个典型的案例:证书透明度,一种
监测和审计证书的方式;域名验证,涉及
DNS
、
HTTP
等其他方式
5
。
11.4
设计
、
开发和维护过程中的考虑
为了确保
CA
的安全,我们设计了三层体系结构,其中的每一层分别负责发布过程中的不
同部分:证书申请解析、注册机构的功能(含路由和主要逻辑)以及证书签名。每一层都
由分工明确的微服务构成。我们还设计了一种双信任空间架构,在与执行关键操作不同的
环境中处理不受信任的输入内容。通过隔离建立边界能提升可理解性,同时也能降低审阅
的难度。这种架构也会让攻击更困难,这是因为每个模块有功能划分。即便是攻破了其中
的一个,所造成的影响也局限在其功能范围内。如果要接触其他资源,则攻击者需要绕过
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.