Re: Why should organization not be both orderer and peer?

Jason Yellick <jyellick@...>

Yes, the BlockValidation policy is the key element to protect.  And, we should probably change the default away from 'ANY Writers' to something more specific -- but any such changes create pains for existing users so need to be weighed carefully.

As the SO post mentions, it's possible to do things securely, it's just trickier, especially given some of the legacy concerns.  If you are using node OUs, the whole thing becomes much easier to accomplish safely, but, operationally dealing with having two copies of the same MSP definition can be a bit tricky.  You'll have to do updates keeping them completely in sync.

I'd still suggest sticking to separate organizations, even if they share the same CA.  You can use a common CA but distinguish MSP definition by setting an OU for that MSP which must be satisfied.  This is similar to, but different from NodeOUs.  Where NodeOUs differentiate the role of an identity based on the OU, setting OUs for the MSP overall will require for any identity to be valid, the certificate must contain some OU authorized by the MSP.  This can be especially useful when an organization wishes to use public CA infrastructure which might even be shared across organizations.


----- Original message -----
From: "Bram Dufour" <bram.dufour8@...>
Sent by: fabric@...
To: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Why should organization not be both orderer and peer?
Date: Mon, Aug 17, 2020 12:40 PM

Thanks a lot Jason, I hadn't thought about those attacks yet.

But isn't it possible for the organizations with orderer to use the OU roles, set the following policies and just run orderer and peers within the same organization? Isn't this possible or do you still see some vulnerabilities with this approach?

Policies: &OrgPolicies
                Type: Signature
                Rule: "OR('org.orderer')"

And then also set the BlockValidation policy like this:

            Type: ImplicitMeta
            Rule: "ANY Orderer"


Thanks a lot in advance, it is a very interesting and important topic.


Join to automatically receive all group messages.