github.com/kaituanwang/hyperledger@v2.0.1+incompatible/docs/source/msp-identity-validity-rules.rst

github.com/kaituanwang/hyperledger@v2.0.1+incompatible/docs/source/msp-identity-validity-rules.rst (about)

     1  MSP Identity Validity Rules
     2  ==================================
     3  
     4  As mentioned in MSP description, MSPs may be configured with a set of root
     5  certificate authorities (rCAs), and optionally a set of intermediate
     6  certificate authorities (iCAs). An MSP's iCA certificates must be signed
     7  by **exactly one** of the MSP's rCAs or iCAs.
     8  An MSP's configuration may contain a certificate revocation list, or CRL.
     9  If any of the MSP's root certificate authorities are listed in the CRL,
    10  then the MSP's configuration must not include any iCA that is also included
    11  in the CRL, or the MSP setup will fail.
    12  
    13  Each rCA is the root of a certification tree. That is,
    14  each rCA may be the signer of the certificates of one or more iCAs, and these
    15  iCAs will be the signer either of other iCAs or of user-certificates.
    16  Here are a few examples::
    17  
    18  
    19                rCA1                rCA2         rCA3
    20              /    \                 |            |
    21           iCA1    iCA2             iCA3          id
    22            / \      |               |
    23        iCA11 iCA12 id              id
    24         |
    25        id
    26  
    27  The default MPS implementation accepts as valid identities X.509 certificates
    28  signed by the appropriate authorities. In the diagram above,
    29  only certificates signed by iCA11, iCA12, iCA2, iCA3, and rCA3
    30  will be considered valid. Certificates signed by internal nodes will be rejected.
    31  
    32  Notice that the validity of a certificate is also affected, in a similar
    33  way, if one or more organizational units are specified in the MSP configuration.
    34  Recall that an organizational unit is specified in an MSP configuration
    35  as a pair of two values, say (parent-cert, ou-string) representing the
    36  certificate authority that certifies that organizational unit, and the
    37  actual organizational unit identifier, respectively.
    38  If a certificate C is signed by an iCA or rCA
    39  for which an organizational unit has been specified in the MSP configuration,
    40  then C is considered valid if, among other requirements, it includes
    41  ou-string as part of its OU field.
    42  
    43  .. Licensed under Creative Commons Attribution 4.0 International License
    44     https://creativecommons.org/licenses/by/4.0/