Membership Service Provider

Every actor in a blockchain network (including peers, users, orderers, etc.) has an identity encapsulated in an X.509 digital certificate. These identities are very important, because they determine the exact permissions over resources and access to information that actors have in a blockchain network.

As the Hyperledger Fabric network is permissioned, participants need to prove their identity to the rest of the network in order to perform transactions. Certificate authorities (CAs) issue identities by generating a public and private key forming a key pair that can be used to prove an identity. Since a private key should never be shared publicly, a mechanism is required to provide that proof. This is where a Membership Service Provider (MSP) comes in.

Despite its name, a Membership Service Provider does not actually provide anything. While CAs generate the certificates that represent identities, an MSP contains a list of permissioned identities. The implementation of an MSP is a set of folders that are added to the network configuration and are used to define an organization both inwardly (organizations decide on admins) and outwardly (other organizations validate that entities have the authority to do what they are attempting to do).

For example, a peer uses its private key to digitally sign, or endorse, a transaction. The MSP on the ordering service contains the peer’s public key, which is then used to verify that the signature attached to the transaction is valid. A private key is used to produce a signature on a transaction that only a corresponding public key, that is part of an MSP, can match. Thus, the MSP is the mechanism that allows an identity to be trusted and recognized by the rest of the network without ever revealing the member’s private key.

An MSP determines which Root CAs and Intermediate CAs are accepted to define the members of a trust domain. This can be done by listing the identities of CAs’ members or by identifying which CAs are authorized to issue valid identities for their members.

An MSP also turns an identity into a role by identifying specific privileges an actor has on a node or channel. Note that when a user is registered with a Hyperledger Fabric CA, a role of admin, peer, client, orderer, or member must be associated with the user. For example, identities registered with the peer role should be given to a peer. Similarly, identities registered with the admin role should be given to the organization’s admins.

If compared with credit cards, a certificate authority is like a card provider — it dispenses many different types of verifiable identities. A Membership Service Provider, on the other hand, determines which credit card providers are accepted at the store. In this way, an MSP turns an identity (a credit card) into a role (the ability to buy things at the store).

This ability to turn verifiable identities into roles is fundamental to the way Hyperledger Fabric networks function. It allows organizations, nodes, and channels to establish MSPs that allocate actors across the organization, node, and channel level.

More information about the MSP concept can be found in the official documentation.