Open kiview opened 4 years ago
At least 2 IT-qualified employees must be responsible for the node as administrators. In addition, there must be another employee with access and sufficient qualifications to manage the node in an emergency. Imaginable scenarios are, attacks or when the network can not create consensus.
What happens incase of responsible person has a sudden death where access to node is lost (due to unknown password/laptop key)? Do we recommend or enforce minimum 3 person responsible for the node (thinking from The Byzantine Generals Problem)?
Sudden death is a valid point. We could propose a secure way to share keys, can we propose adopting a secret sharing technique, such as Shamir's Secret Sharing?
What is the abstract item behind this? Is it key access? Key sharing in the organization? Key management?
If I dig the abstraction item keys there are two type of keys for access: 1) SSH Keys to host machine of the node? Other is the Private Keys for the node to connect to the consortium ^
SSH keys in order to connect to a machine is an implementation detail with which eBGF should not be concerned.
Authentication problem: it depends how the system is configured. Most systems can reset the root password, BUT this only works if ssh authentication with password is not disabled (had this problem with one of mine servers). So storing two key pairs for ssh access gives redundancy, but a policy is required where to store this key.
Consortium problem: the other consortium members are able to blacklist the key (revocation list) with a multi/majority vote. The consortium problem has not the problem of a key loss since the key is not bound to direct rules like authentication.
Authentication: There needs to be a policy about node access, not about SSH key storage for node access.
Governance: This will talk about the wallet basically. So this is relevant.
Here I would describe how govdigital solves the topic
What happens in the case if the responsible operating person of an authorized node leaves the company or switches to another company? Is membership bound to an individual or an organization? And what happens with key material, will this move together with the individual and is it necessary to rotate keys?