25

Is Fabric CA an implementation of MSP? Is an MSP useless by itself?

What are the functions of the MSP and Fabric CA? And differences in those functions?

Jeff
  • 833
  • 1
  • 8
  • 17

4 Answers4

25

MSP is a Membership Service Provider - pluggable interface to support variety of credentials architectures, basically offering abstraction layer for membership orchestration architecture. MSP abstraction provides:

  1. Concrete identity format
  2. User credential validation
  3. User credential revocation
  4. Signature generation and verification

While Fabric-CA used to generate certificates and keys to actually initialize MSP facilities. Fabric-CA is a default implementation of MSP interface to cover identity management.

Artem Barger
  • 40,769
  • 9
  • 59
  • 81
  • 11
    Could you give me an example of some other credential architectures that we could use with Fabric? – Jeff Aug 16 '17 at 13:09
  • An example reflecting the differences between the two will help people understand it better. Can a CA work independently of an MSP? – Kartik Chauhan Jul 16 '19 at 20:18
  • @KartikChauhan not sure what example would you expect to see. MSP is an interface, while Fabric-CA is a piece of software. – Artem Barger Jul 17 '19 at 10:10
  • If anyone asks me this question, I don't know whether I'll be able to clearly explain the difference between the two. – Kartik Chauhan Jul 17 '19 at 10:24
  • 1
    [This example](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#why-do-i-need-an-msp) with credit cards from the docs is pretty good. Maybe it shall be added to the Artem's answer. Quoting a part of the example: "the Certificate Authority is like a card provider — it dispenses many different types of verifiable identities. An MSP, on the other hand, determines which credit card providers are accepted at the store. In this way, the MSP turns an identity (the credit card) into a role (the ability to buy things at the store)." – Gr3at Feb 27 '21 at 07:59
  • Fabric Ca is used to create identities but MSP, the abstract interface turns the identities into roles to adminstrate them in fabric network. – 4t8dds Feb 18 '22 at 02:37
1

MSPs are in charged for members certificates and authentication. MSP is pluggable, so the default Fabric MSP implementation uses PKI methods and X.509 certificates. You can use commercial CAs or Fabric CA to generate the keys and certificates needed to configure an MSP.

For more information read the Fabric CA documentation and https://hyperledger-fabric.readthedocs.io/en/latest/msp.html

Polem
  • 131
  • 7
0

Fabric CA provides features such as: Registration of identities with roles like peer, user or application, or connects to an existing LDAP as the user registry to fetch identities of the mentioned roles.

MSP is a membership service provider defines which certificate authorities(CA's) is allowed to issue certificates.

deepak tholia
  • 11
  • 3
0

Certificate Authority (CA) is like a card provider — it dispenses many different types of verifiable identities (visa, mastercard, Rupay).

An MSP, on the other hand, determines which credit card providers (visa, mastercard) are accepted at the store.

<-->

In this scenario, MSP only accepts Visa and Mastercard even though CA has produced Rupay alongside the accepted ones.

<-->

Connecting with Hyperledger fabric,

Certificate Authorities issue identities by generating a public and private key which forms a key-pair that can be used to prove identity. This identity needs a way to be recognized by the network, which is where the MSP comes in.

For example, a peer uses its private key to digitally sign, or endorse, a transaction. The MSP is used to check that the peer is allowed to endorse the transaction or if the peer belongs to the recognized organizations/members.

MSP is internal or close to the network setup whereas CA resides in a distance.

Hem M
  • 326
  • 2
  • 13