Re: Revoke User certificate


Nye Liu <nye@...>
 

You mean inside channel configuration MSPs, not peer MSPs. Not sure if what I wrote below was clear.

On 1/1/20 6:23 AM, Adhav Pavan wrote:
Hello Nye,

I think we have to place CRL(generated by ca) in the MSP folder and not inside peer.

MSP Structure:

image.png

Description for same: 

Revoked Certificates: If the identity of an actor has been revoked, identifying information about the identity — not the identity itself — is held in this folder. For X.509-based identities, these identifiers are pairs of strings known as Subject Key Identifier (SKI) and Authority Access Identifier (AKI) and are checked whenever the X.509 certificate is being used to make sure the certificate has not been revoked.

This list is conceptually the same as a CA’s Certificate Revocation List (CRL), but it also relates to the revocation of membership from the organization. As a result, the administrator of an MSP, local or channel, can quickly revoke an actor or node from an organization by advertising the updated CRL of the CA the revoked certificate as issued by. This “list of lists” is optional. It will only become populated as certificates are revoked.


Please correct me if I am wrong.

Thank you.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:
+91-8390114357  E-Mail: adhavpavan@...



On Wed, Jan 1, 2020 at 3:49 AM Nye Liu <nye@...> wrote:
You have to update each applicable channel configuration with the new crls. The peer/orderer MSP would then be checked to make sure the entity making the channel configuration update has permission to do so (depending on whether the update is to an orderer system channel or an application channel). This is my understanding but I could be very wrong.

On Tue, Dec 31, 2019, 9:02 AM Hojjat Jashnniloofar <h.niloofar@...> wrote:
Hello,
We are a team worked KYC solution on heyperledger fabric for last 2 years. We register each user and enroll certificate for each user and install keyPairs on user mobiles. In case of lost or theft, we want to revoke user certificate and reenroll them. We find sdk functions for revoke and reenroll but we want to ban old certificates to access the chaincode methods. We can generate ca crl but we don't know where we must place this CRLs or how to enforce peers to check certificate status before submit or evaluate transaction. 

We place this CRL (generated by ca) on peer in this path:
/etc/hyperledger/msp/peer/crls
but still user can submit transaction by revoked certificate.

anyone can help us in this case? 

Best Regards
Hojjat Jashnniloofar

Join fabric@lists.hyperledger.org to automatically receive all group messages.