Hyperledger Fabric docs on Membership Service Provider - Questions

风格不统一 提交于 2019-12-05 05:04:58

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX. Is this understanding correct?

Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.

If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering?

Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.

Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.

There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

the channel MSP doesn't contain the same information as the local MSP. The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to. However - a channel MSP, can contain information about any organization that is a member of the channel. Actually, a channel has several MSPs - 1 for each organization!

Consider an example - you have orgs A, B C in channel Foo. So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!