All geek questions in one place

How to avoid a solid CA located at one point of failure?

if I understand correctly, each peer in the block network (somehow connected by gossip) will only accept incoming connections from other peers if they use an HTTPS connection with a public key signed by the CA matrix.

Is it correct?

So, in my understanding, Root-CA becomes the only point of failure, because it could be changed, and from now on, modified Root-CA certificates will be distributed to the nodes, and ultimately no node can connect to each other more.

Is it correct?

+5
source share
4 answers

Let me try to answer two questions as well, perhaps a little more bluntly.

QUESTION1: if I understood correctly, each peer in the blockchain network (somehow connected with gossip) will only accept incoming connections from other peers if they use an HTTPS connection with a public key signed by the CA matrix. It is right?

ANSWER1: No, that is not true. You said "CA Fabric", but each network block network has several trusted certificate authorities, where each can be a CA matrix or another CA or a combination. There is no single trusted root CA in this model. In addition, peer connections exceed GRPC, not HTTPS.

QUESTION2: So, in my understanding, Root-CA becomes the only point of failure because it could be modified, and from that moment the modified Root-CA certificates will be distributed to the nodes, and ultimately no node can connect to each other more. Is it correct?

ANSWER2: No, that is not true. There is no SPoF (Single Point of Failure), because: a) a single Fabric DAC can work in a cluster b) there are several CAD fabric clusters (or other DSPs) in a block chain network c) peers and customers are not directly connected to the CA. They work with cryptographic material accessible locally from the file system or its copy of the book. Also, there is no SPoT (Single Point of Trust), because: a) there are several root CAs without a common root key and b) configuration updates that affect who trusts who may need to sign from several identifiers from different roots of trust. For example, changing a trust policy may require a signature from an administrator from each organization in the chain (or in a hyperlink in the channel).

+3
source

Browsers will accept incoming connections from other peers and customers. You determine which members are going to take part in the channel, i.e. Who is going to participate in the mini-blockade on your network. Then you create artifacts for each member. You have more information about the channels and artifacts you need to create here . And additional information about the tool that you will use here .

Once you have created a channel and joined it, it is managed by MSP. When you create a channel, you define a public key for each scale. Then MSP manages them.

As you said, Root-CA can be changed, but it can happen on any other system with any other Root-CA. The CA Fabric server must be turned on when members request their keys and then it will be stopped. In addition, Hyperledger recommends creating intermediate CAs.

+1
source

The answers from varnit and Urko partially address the question. However, there are many aspects to consider when deciding whether Fabric CA represents SPOF. Firstly, CA matrices can be made highly available, as indicated in the answer from varnit. However, a CA CPU is not required to operate the block chain; it can be used by the SDK or CLI to obtain certificates that are used to configure peers and customers on the network and the channels through which transactions will be performed. You can create the certificates you need when you fully configure the network without CA Fabric using the cryptogen tool. The fabric guide here is defined here . To configure the network, you will use the configtxgen tool.

When setting up the network, certificates representing each role of the organization are stored in the network genesis block and when setting up the channel in the channel configuration block. Therefore, each node, whether peer or customer, has access to all (root) certificates. The only way to change the root certificates of various organizations is to get a confirmed transaction to update the network configuration, consistent with the approval policy defined for that network.

+1
source

First of all, I would like to say that the question is very interesting, and secondly, I think your problems are correct with respect to Hyperledger Composer, but I would say that, since all Hyperledger Fabric components are container-based, they can be easily scaled therefore in case of rock docker i would just use `

 docker service scale hyper ledger-ca 5`

and it will scale it to 5 containers or different nodes. I hope that the answer to your question, please let me know if you have something to answer.

-1
source

Source: https://habr.com/ru/post/1270198/

More articles:


All Articles