internet-sicherheit / eco-blockchain-governance

Working repo for the eco Blockchain Governance Framework
Apache License 2.0
5 stars 3 forks source link

What happens if responsible individuals leave a member organisation? #3

Open kiview opened 4 years ago

kiview commented 4 years ago

What happens in the case if the responsible operating person of an authorized node leaves the company or switches to another company? Is membership bound to an individual or an organization? And what happens with key material, will this move together with the individual and is it necessary to rotate keys?

chinmay241 commented 4 years ago

General Node Policies

At least 2 IT-qualified employees must be responsible for the node as administrators. In addition, there must be another employee with access and sufficient qualifications to manage the node in an emergency. Imaginable scenarios are, attacks or when the network can not create consensus.

What happens incase of responsible person has a sudden death where access to node is lost (due to unknown password/laptop key)? Do we recommend or enforce minimum 3 person responsible for the node (thinking from The Byzantine Generals Problem)?

kiview commented 4 years ago

Sudden death is a valid point. We could propose a secure way to share keys, can we propose adopting a secret sharing technique, such as Shamir's Secret Sharing?

What is the abstract item behind this? Is it key access? Key sharing in the organization? Key management?

chinmay241 commented 4 years ago

If I dig the abstraction item keys there are two type of keys for access: 1) SSH Keys to host machine of the node? Other is the Private Keys for the node to connect to the consortium ^

kiview commented 4 years ago

SSH keys in order to connect to a machine is an implementation detail with which eBGF should not be concerned.

cre8 commented 4 years ago

Authentication problem: it depends how the system is configured. Most systems can reset the root password, BUT this only works if ssh authentication with password is not disabled (had this problem with one of mine servers). So storing two key pairs for ssh access gives redundancy, but a policy is required where to store this key.

Consortium problem: the other consortium members are able to blacklist the key (revocation list) with a multi/majority vote. The consortium problem has not the problem of a key loss since the key is not bound to direct rules like authentication.

kiview commented 4 years ago

Authentication: There needs to be a policy about node access, not about SSH key storage for node access.

Governance: This will talk about the wallet basically. So this is relevant.

BeckerAn123 commented 4 years ago

Here I would describe how govdigital solves the topic