6

I read the docs on Hyperledger Fabric Membership Service Providers (MSPs) and not everything was really clear to me.

The link to the part of the docs on MSPs is this: https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html

  1. Quote from the docs:

This is where a Membership Service Provider (MSP) comes into play — it identifies which Root CAs and Intermediate CAs are trusted to define the members of a trust domain, e.g., an organization, either by listing the identities of their members, or by identifying which CAs are authorized to issue valid identities for their members, or — as will usually be the case — through a combination of both.

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX. Is this understanding correct?

  1. If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering? Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

  2. There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel MSP to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

enter image description here

Michael
  • 799
  • 1
  • 7
  • 16

1 Answers1

1

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX. Is this understanding correct?

Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.

If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering?

Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.

Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.

There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

the channel MSP doesn't contain the same information as the local MSP. The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to. However - a channel MSP, can contain information about any organization that is a member of the channel. Actually, a channel has several MSPs - 1 for each organization!

Consider an example - you have orgs A, B C in channel Foo. So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.

yacovm
  • 5,120
  • 1
  • 11
  • 21
  • Thank you very much for your answer . "If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX." Symantec is a root CA that is used by many actors - so a lot of people/institutions in the world have a certificate that is signed by Symantec ... you are saying that all these people/institutions can join a Hyperledger Fabric network where one of the member organisations uses Symantec as CA? – Michael Sep 16 '18 at 21:37
  • According to the docs you appear to be correct .... but this set up makes absolutely no sense. Most of the people/institutions with a certificate from Symantec are not member of the organisation participating in a specific Hyperledger Fabric network (and using Symantec as its CA). – Michael Sep 16 '18 at 21:37
  • For example, let's say that there is a Hyperledger Fabric network with three member organisations: BMW, Ford and Daimler. Let's assume Daimler uses Symantec as its CA. Let's assume further that Mr X (who has nothing to do with Daimler or any Blockchain network) has a certificate from Symantec (which he procured for other purposes) . Now Mr X can join the Hyperledger Fabric network between Daimler, BMW and Ford ... how does this make sense? – Michael Sep 16 '18 at 21:38
  • ... I know that there is one MSP per organisation ... MSP of Org1 has a list of all identities that are members of Org1, MSP of Org2 has a list of all identities that are members of Org2, etc. .... Let's say Org1 has three members: Adam, Bob and Sarah. So the channel MSP of Org1 has a list containing the identities of Adam, Bob and Sarah. This information is then copied/instantiated to the local nodes. Additionally, each local node has a local MSP associated with the organisation that owns the node. – Michael Sep 16 '18 at 21:56
  • In the case of a node belonging to Org1, the local MSP has a list containing the identities of Adam, Bob and Sarah. But why not just give the node the information that it belongs to Org1, then it could look up any members of Org1 in the local copy of the channel MSP? This way you would just have the channel MSP containing the list of members (in the case of Org1.MSP: Adam, Bob and Sarah). Now you have the same list twice: once on channel Org1.MSP and once on local Org1.MSP – Michael Sep 16 '18 at 21:56
  • You can just have the CA denote a specific OU and then you can enforce that the MSP will be correlated to that OU. – yacovm Sep 19 '18 at 18:07
  • I am sorry to ask out of your conversation but still in the part of MSP. I wonder how Channel MSP verify identity of one org and another org? since channel MSP has a combination of all MSPs in the channel so to verify, it is worked by the a specific Chaincode? thank you very much! – Dara Tith Jan 19 '19 at 15:58
  • so, the channel MSP manager has a mapping of all organizations in the channel to their MSP instances. Whenever an identity comes and you need to validate it - the peer/orderer extracts the MSP ID (organization) from the identity, and then passes this to the MSP instance that is found in the MSP manager of the channel. If no MSP instance is found for that MSP ID, it is rejected. – yacovm Jan 19 '19 at 20:48
  • Thank you for your answer. I know Channel MSP holds all identity but how can peer check the identity of one person? A peer checks by himself or invoke a special chaincode to check for him? – Dara Tith Jan 20 '19 at 12:24