Hyperledger Fabric docs on Membership Service Provider - Questions

Question

I read the docs on Hyperledger Fabric Membership Service Providers (MSPs) and not everything was really clear to me.

The link to the part of the docs on MSPs is this: https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html

1. Quote from the docs:

This is where a Membership Service Provider (MSP) comes into play — it identifies which Root CAs and Intermediate CAs are trusted to define the members of a trust domain, e.g., an organization, either by listing the identities of their members, or by identifying which CAs are authorized to issue valid identities for their members, or — as will usually be the case — through a combination of both.

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX. Is this understanding correct?

2. If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering? Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

3. There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel MSP to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

Answer 1

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX. Is this understanding correct?

Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.

If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering?

Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.

Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.

There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

the channel MSP doesn't contain the same information as the local MSP. The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to. However - a channel MSP, can contain information about any organization that is a member of the channel. Actually, a channel has several MSPs - 1 for each organization!

Consider an example - you have orgs A, B C in channel Foo. So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.