Re: introduce msp into chaincode for authentication

Prasanth Sundaravelu

I didn't understand the use case correctly. Do you want to externally verify an Issuer's identity after he/she issues the digital asset? (I assume, when issuing the asset, he will be the creator of the transaction) 

If this is the case, 
- You can store the issuer's x.509 certificate when he/she issues the asset and whoever needs to verify can acquire it from the ledger to do so.

- Prasanth

On Sun, Apr 5, 2020 at 8:14 AM qs meng <qsmeng@...> wrote:
Hi Prasanth,
   Thank you very much for your reply.  Indeed a transaction creator is already authenticated and attributes can be used to do acess control.
    Considier another use case. Using chaincode to issue digital assets for physical assets needs the asset issuer's identity being authenticated.  However, the issuer is not the transaction creator.  If the function to read msp CA can be moved intto chaincode part as an api it is very good.
   Is it possible and if it is, how should I do? Thank you.
  Best regards,
qs meng

At 2020-04-02 18:27:14, "Prasanth Sundaravelu" <prasanths96@...> wrote:

Hi Meng, 

If my understanding is correct,

You have considered one use-case, where you want to authenticate based on if the creator is from a certain org (To be more precise, a creator/user registered by a certain client/org). It is one of the application use cases. Similarly, there can be more such application use cases. We cannot move all such use cases to hyperledger's core.

Also, there is actually a way to implement your use case. Check out Attribute Based Access Control in hyprledger fabric. 

General idea:
For identifying if creator is from certain org:
- In an ideal case, each org will have different CA, so at chaincode, read the Certificate to find out Org Name.

For identifying if creator from a specific client in same org:
 - You can add a special attribute in the certificate, indicating the name/identifier of the client, when registering a user. 
- Then, at chaincode, you can read the certificate to find out client id.

In both cases, you have to write authentication logic at chaincode.

- Prasanth

On Wed, 1 Apr 2020, 12:34 pm qs meng, <qsmeng@...> wrote:
Hi Yacov,
    yes, a peer would authenticate the proposal creator, who is a member of  fabric network. But in chaincode container, there is no way to  authenticate an identity who belongs to one client application.  If a chaincode could get CA certificate, it is feasible for chaincode to authenticate identities who belongs to client application. 
   I do not know if I explain it clearly.
   Thank you.
qs meng

At 2020-04-01 14:45:32, "Yacov Manevich" <YACOVM@...> wrote:

The proposal is authenticated by the peer before it gets into the chaincode.

From:        "qs meng" <qsmeng@...>
To:        "fabric@..." <fabric@...>
Date:        04/01/2020 03:26 AM
Subject:        [EXTERNAL] [Hyperledger Fabric] introduce msp into chaincode for authentication
Sent by:        fabric@...

   I suggest to add msp support into chaincode to authenticate identitis  in  client applications. The getCreator api only get the creator and take it as authenticated already.
  A way to do: for an endorsing peer, it has a function to get CA from configure block and autheniticate the transaction creator. Just copy the function to chaicode part. Is it feasible?
  Thank you.
qs meng




Join { to automatically receive all group messages.