问题描述

我阅读了有关Hyperledger Fabric成员资格服务提供商(MSP)的文档，但并不是所有事情对我来说都是很清楚的.

I read the docs on Hyperledger Fabric Membership Service Providers (MSPs) and not everything was really clear to me.

到MSP上的文档部分的链接是这样的: https://hyperledger-fabric.readthedocs.io/en/release -1.2/membership/membership.html

The link to the part of the docs on MSPs is this:https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html

1. 从文档中引用:

我对本段的理解是:OrgX的MSP要么具有OrgX成员的列表(这样就可以根据列表轻松检查网络上的参与者)，或者，MSP定义允许哪个证书颁发机构发布OrgX成员的身份.这种理解正确吗?

My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX.Is this understanding correct?

1. 如果OrgX的MSP定义了允许向OrgX成员颁发身份的证书颁发机构，那么这如何保护网络免受有害参与者的进入?假设OrgX的MSP使用"Symantec"作为其CA.因此，每个拥有Symantec证书的人都被视为OrgX的成员，可以参加网络.但是，如果我(不是OrgX的成员)从Symantec获得证书怎么办?我现在是否自动被视为OrgX的余烬并且可以加入网络?

1. If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering? Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?

有通道MSP和本地MSP.根据文档，通道MSP和本地MSP都定义了哪些身份属于某个组织(例如OrgX).但是，如果通道MSP包含与本地MSP相同的信息(即基本上是一个身份列表)，那么将通道MSP实例化为节点有什么意义呢?

There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel MSP to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?

推荐答案

正确.但是...实际上，在MSP中明确配置的唯一证书是管理员证书.其余的未配置，并通过标准的x509 PKI验证(找到到某些中间CA或根CA的验证路径)进行了验证，而管理证书则通过逐字节比较来标识.

Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.

不需要的参与者不应具有包含由OrgX使用的相应证书的私钥.

Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.

如果您获得了与Symantec的CA颁发的证书的公钥相对应的私钥，并且该CA在结构通道配置中具有配置为根CA或中间CA的证书，则-您可以验证为OrgX成员.

If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.

通道MSP与本地MSP所包含的信息不同.本地MSP仅包含有关本地MSP节点(对等方，订购方)所属组织的信息.但是-渠道MSP可以包含有关作为该渠道成员的任何组织的信息.实际上，一个渠道有多个MSP-每个组织1个！

the channel MSP doesn't contain the same information as the local MSP.The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to.However - a channel MSP, can contain information about any organization that is a member of the channel.Actually, a channel has several MSPs - 1 for each organization!

请考虑一个示例-您在Foo频道中拥有A，B和C组织.因此，通道配置将具有3个MSP，每个MSP用于验证属于相应组织的身份.

Consider an example - you have orgs A, B C in channel Foo.So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.

这篇关于会员服务提供商上的Hyperledger Fabric文档-问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！