<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=iso-8859-2">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Sure, in the constructor I use:</p>
    <p>  m_face.setInterestFilter("/root/site1",<br>
                                   bind(&Producer::onInterest, this,
      _1, _2),<br>
                                   RegisterPrefixSuccessCallback(),<br>
                                   bind(&Producer::onRegisterFailed,
      this, _1, _2));<br>
      <br>
      <br>
          m_ident = m_keyChain.createIdentity(Name("/root/site1"));<br>
          m_info = ndn::security::SigningInfo(m_ident);</p>
    <p><br>
    </p>
    <p>And then in when an interest arrives I use this to sign the data:</p>
    <p>  m_keyChain.sign(*data, m_info);<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 24/10/17 15:28, Muktadir R Chowdhury
      (mrchwdhr) wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:DM2PR04MB4803A42BE6896F8F771194BDA470@DM2PR04MB480.namprd04.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=iso-8859-2">
      <style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
      <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
        dir="ltr">
        <p>How are you serving the certificate?</p>
        <p>Can you share the code where producer is sending the
          certificate?</p>
        <p><br>
        </p>
        <p>Muktadir</p>
        <p><br>
        </p>
      </div>
      <hr style="display:inline-block;width:98%" tabindex="-1">
      <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
          face="Calibri, sans-serif" color="#000000"><b>From:</b> Michał
          Król <a class="moz-txt-link-rfc2396E" href="mailto:m.krol@ucl.ac.uk"><m.krol@ucl.ac.uk></a><br>
          <b>Sent:</b> Tuesday, October 24, 2017 8:24:35 PM<br>
          <b>To:</b> Muktadir R Chowdhury (mrchwdhr);
          <a class="moz-txt-link-abbreviated" href="mailto:ndn-interest@lists.cs.ucla.edu">ndn-interest@lists.cs.ucla.edu</a><br>
          <b>Subject:</b> Re: [Ndn-interest] Complete trust management
          from scratch in ndn-cxx</font>
        <div> </div>
      </div>
      <div>
        <p>When I dump the certificate I get the correct name:</p>
        <p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
        <p><span>Certificate name:<br>
             
            /root/site1/KEY/%AF%C7%D8y3%5De%06/NA/%FD%00%00%01_AR%9B%1C</span></p>
        <p><span> Key Locator: Name=/root/KEY/%AC%FD%1A%A9%CA%9A%A5%C3<br>
          </span></p>
        <p><span><br>
          </span></p>
        <p><span>However, when I use it to sign, the name I get at the
            consumer is:</span></p>
        <p><span> /root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
          </span></p>
        <p><span><br>
          </span></p>
        <p><span>The "NA" component is missing and that's the cause of
            the problem. <br>
          </span></p>
        <p><span><br>
          </span></p>
        <p>In some tutorials, people submit "-N /root/site1" parameter
          to the <span>ndnsec-certgen command. However, in the newest
            version, this option is not present. Could it be the
            problem?<br>
          </span></p>
        <p><span><br>
          </span></p>
        <p><br>
        </p>
        <p><br>
        </p>
        <p>/root/site1/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_N%9E%0Aw<br>
        </p>
        <br>
        <div class="moz-cite-prefix">On 24/10/17 15:10, Muktadir R
          Chowdhury (mrchwdhr) wrote:<br>
        </div>
        <blockquote type="cite"
cite="mid:DM2PR04MB480240EE1532C11E7C1588ADA470@DM2PR04MB480.namprd04.prod.outlook.com">
          <style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
          <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
            dir="ltr">
            <p>The value for <span>KEY_COMPONENT_OFFSET is -4. That
                means you get the 4th component from the last. Another
                way of saying this is that you have three more component
                after KEY.</span></p>
            <p><span><br>
              </span></p>
            <p><span>Your key/cert creation looks fine.</span></p>
            <p><span>You can check the name of the certificate using
                this command:</span></p>
            <p><span>ndnsec-dump-certificate -i -p /root,</span></p>
            <p><span>ndnsec-dump-certificate -i -p /root/site1</span></p>
            <p><span><br>
              </span></p>
            <p><span>Just make sure the data that contains the
                certificate is same as the name of the certificate.</span></p>
            <p><span><br>
              </span></p>
            <p><span>Muktadir</span></p>
            <p><span><br>
              </span></p>
          </div>
          <hr style="display:inline-block;width:98%" tabindex="-1">
          <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
              face="Calibri, sans-serif" color="#000000"><b>From:</b>
              Michał Król
              <a class="moz-txt-link-rfc2396E"
                href="mailto:m.krol@ucl.ac.uk" moz-do-not-send="true"><m.krol@ucl.ac.uk></a><br>
              <b>Sent:</b> Tuesday, October 24, 2017 7:54:44 PM<br>
              <b>To:</b> Muktadir R Chowdhury (mrchwdhr); <a
                class="moz-txt-link-abbreviated"
                href="mailto:ndn-interest@lists.cs.ucla.edu"
                moz-do-not-send="true">
                ndn-interest@lists.cs.ucla.edu</a><br>
              <b>Subject:</b> Re: [Ndn-interest] Complete trust
              management from scratch in ndn-cxx</font>
            <div> </div>
          </div>
          <div>
            <p>Thanks for your message Muktadir. However, it still looks
              like the <key-owner-prefix> can have only one
              component.
              <br>
            </p>
            <p><br>
            </p>
            <p>When I send an Interest for "/root", use identity "/root"
              to sign and data name "root" it works fine. But when I
              send an interest for "/root/site1", use identity
              "/root/site1" to sign and data name "root/site1" it
              doesn't, because the check in ndn-cxx is expecting "KEY"
              and I have "site1" now as the second component. I tried to
              set the site1 signed certificate as the trust anchor in
              the config file, but it still doesn't help.
              <br>
            </p>
            <p><br>
            </p>
            <p>The check I'm talking about is in
              ./src/security/v2/certificate.cpp line 132.
              KEY_COMPONENT_OFFSET points to the wrong name component.
              Maybe there's a problem when I'm generating the
              identities?</p>
            <p>I do it like this:</p>
            <p>ndnsec-keygen /root | tee root.ndncert |
              ndnsec-cert-install -<br>
              ndnsec-keygen /root/site1 > site1.req<br>
              ndnsec-certgen  -s /root/ site1.req > site1.ndncert<br>
              ndnsec-cert-install -f site1.ndncert</p>
            <p><br>
            </p>
            <p>Once again, thanks a lot for your help,</p>
            <p>Michał<br>
            </p>
            <br>
            <div class="moz-cite-prefix">On 23/10/17 21:35, Muktadir R
              Chowdhury (mrchwdhr) wrote:<br>
            </div>
            <blockquote type="cite"
cite="mid:DM2PR04MB48046908D1186D00E63424ADA460@DM2PR04MB480.namprd04.prod.outlook.com">
              <style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
              <div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
                dir="ltr">
                <p>Hi,</p>
                <p>When your producer sends the certificate make sure
                  that the name of the data is the name of the
                  certificate. Because the receiver will use the data
                  packet to construct the certificate. If the data name
                  does not follow the certificate naming convention, the
                  constructor for Certificate will throw the error you
                  reported.</p>
                <p> </p>
                <p>Please note that certificate name and key name are
                  different.</p>
                <p>Key name:
                  <key-owner-prefix>/KEY/<key-id>, </p>
                <p>Certificate name: <span style="font-family: Calibri,
                    Helvetica, sans-serif, Helvetica, EmojiFont,
                    "Apple Color Emoji", "Segoe UI
                    Emoji", NotoColorEmoji, "Segoe UI
                    Symbol", "Android Emoji",
                    EmojiSymbols; font-size: 16px;"><key-owner-prefix</span><span
                    style="font-family: Calibri, Helvetica, sans-serif,
                    Helvetica, EmojiFont, "Apple Color Emoji",
                    "Segoe UI Emoji", NotoColorEmoji,
                    "Segoe UI Symbol", "Android
                    Emoji", EmojiSymbols; font-size: 16px;">>/KEY/<key-id>/<issuer-id>/<version-id>.</span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;"><br>
                  </span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;">For certificate name the library is expecting
                    three more components after the "KEY" component.</span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;"><br>
                  </span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;">Let me know if you have any more questions.</span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;"><br>
                  </span></p>
                <p><span style="font-family: Calibri, Helvetica,
                    sans-serif, Helvetica, EmojiFont, "Apple Color
                    Emoji", "Segoe UI Emoji",
                    NotoColorEmoji, "Segoe UI Symbol",
                    "Android Emoji", EmojiSymbols; font-size:
                    16px;">Muktadir</span></p>
              </div>
              <hr style="display:inline-block;width:98%" tabindex="-1">
              <div id="divRplyFwdMsg" dir="ltr"><font
                  style="font-size:11pt" face="Calibri, sans-serif"
                  color="#000000"><b>From:</b> Ndn-interest
                  <a class="moz-txt-link-rfc2396E"
                    href="mailto:ndn-interest-bounces@lists.cs.ucla.edu"
                    moz-do-not-send="true">
                    <ndn-interest-bounces@lists.cs.ucla.edu></a>
                  on behalf of Michał Król <a
                    class="moz-txt-link-rfc2396E"
                    href="mailto:m.krol@ucl.ac.uk"
                    moz-do-not-send="true">
                    <m.krol@ucl.ac.uk></a><br>
                  <b>Sent:</b> Sunday, October 22, 2017 7:28:45 PM<br>
                  <b>To:</b> <a class="moz-txt-link-abbreviated"
                    href="mailto:Matteo.Bertolino@eurecom.fr"
                    moz-do-not-send="true">
                    Matteo.Bertolino@eurecom.fr</a>; <a
                    class="moz-txt-link-abbreviated"
                    href="mailto:ndn-interest@lists.cs.ucla.edu"
                    moz-do-not-send="true">
                    ndn-interest@lists.cs.ucla.edu</a><br>
                  <b>Subject:</b> Re: [Ndn-interest] Complete trust
                  management from scratch in ndn-cxx</font>
                <div> </div>
              </div>
              <div>
                <p>I looked a bit deeper in the code and I found the
                  reason of the problem. <br>
                </p>
                <p>ndn-cxx is expecting "KEY" as the second component in
                  the certificate name. However, my certificate name is:
"/root/publisher/KEY/%AF%C7%D8y3%5De%06/%FD%00%00%01_D8%F1%A4", so "KEY"
                  is the third component. </p>
                <p>When I changed the code to put "/root/" in the
                  Interest instead of "/root/site1" it solved the
                  problem and the signature is verified correctly. In
                  future experiments I would like to implement a
                  hierarchy of trust. Do you know what is the problem
                  here?</p>
                <p>Best,</p>
                <p>Michał<br>
                </p>
                <br>
                <div class="moz-cite-prefix">On 17/10/17 10:49, Michał
                  Król wrote:<br>
                </div>
                <blockquote type="cite"
                  cite="mid:d78599a8-d4de-1a20-0b2a-036d1566c8d8@ucl.ac.uk">
                  <p>Hi Matteo, <br>
                  </p>
                  <p>thanks for your message. It's just a formatting
                    problem. For some reason my mail client decide to
                    replace tabs with "/" and "?". There are not present
                    in the files though.
                    <br>
                  </p>
                  <p>I've seen your tutorial before. Actually, it was
                    the only complete solution it could find online, so
                    I was basing heavily on it. Thank you. My setup
                    seems only slightly different, but I still can't
                    make it work.
                    <br>
                  </p>
                  <p>Best,</p>
                  <p>Michał<br>
                  </p>
                  <p><br>
                  </p>
                  <br>
                  <blockquote type="cite"
                    cite="mid:EAB20BA3-4E53-44A8-8CF9-5C1DF292037F@ucl.ac.uk">
                    <br class="">
                    <div style=""><br class="">
                      <blockquote type="cite" class="">
                        <div class="">Begin forwarded message:</div>
                        <br class="Apple-interchange-newline">
                        <div style="margin-top: 0px; margin-right: 0px;
                          margin-bottom: 0px; margin-left: 0px;"
                          class="">
                          <span style="font-family: -webkit-system-font,
                            Helvetica Neue, Helvetica, sans-serif;
                            color:rgba(0, 0, 0, 1.0);" class=""><b
                              class="">From:
                            </b></span><span style="font-family:
                            -webkit-system-font, Helvetica Neue,
                            Helvetica, sans-serif;" class="">Matteo
                            Bertolino <<a
                              href="mailto:Matteo.Bertolino@eurecom.fr"
                              class="" moz-do-not-send="true">Matteo.Bertolino@eurecom.fr</a>><br
                              class="">
                          </span></div>
                        <div style="margin-top: 0px; margin-right: 0px;
                          margin-bottom: 0px; margin-left: 0px;"
                          class="">
                          <span style="font-family: -webkit-system-font,
                            Helvetica Neue, Helvetica, sans-serif;
                            color:rgba(0, 0, 0, 1.0);" class=""><b
                              class="">Subject:
                            </b></span><span style="font-family:
                            -webkit-system-font, Helvetica Neue,
                            Helvetica, sans-serif;" class=""><b class="">Re:
                              [Ndn-interest] Complete trust management
                              from scratch in ndn-cxx</b><br class="">
                          </span></div>
                        <div style="margin-top: 0px; margin-right: 0px;
                          margin-bottom: 0px; margin-left: 0px;"
                          class="">
                          <span style="font-family: -webkit-system-font,
                            Helvetica Neue, Helvetica, sans-serif;
                            color:rgba(0, 0, 0, 1.0);" class=""><b
                              class="">Date:
                            </b></span><span style="font-family:
                            -webkit-system-font, Helvetica Neue,
                            Helvetica, sans-serif;" class="">16 October
                            2017 19:49:16 BST<br class="">
                          </span></div>
                        <div style="margin-top: 0px; margin-right: 0px;
                          margin-bottom: 0px; margin-left: 0px;"
                          class="">
                          <span style="font-family: -webkit-system-font,
                            Helvetica Neue, Helvetica, sans-serif;
                            color:rgba(0, 0, 0, 1.0);" class=""><b
                              class="">To:
                            </b></span><span style="font-family:
                            -webkit-system-font, Helvetica Neue,
                            Helvetica, sans-serif;" class=""><<a
                              href="mailto:ndn-interest@lists.cs.ucla.edu"
                              class="" moz-do-not-send="true">ndn-interest@lists.cs.ucla.edu</a>><br
                              class="">
                          </span></div>
                        <br class="">
                        <div class="">Hello,<br class="">
                          why do you have the "//" in each line of the
                          validator?<br class="">
                          I am by phone so I cannot provide you easily a
                          good answer, but you can find a completed and
                          commented use case  here:
                          <a
href="https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf"
                            class="" moz-do-not-send="true">
https://github.com/MatteoBertolino92/NDN-matteo/blob/master/ndncxx_miniNDN_someUseCases_nacks__certificates__interest_verification.pdf</a><br
                            class="">
                          <br class="">
                          Section 3. Write me if u need some
                          clarifications.<br class="">
                          Matteo<br class="">
                          <br class="">
                          <br class="">
                          Quoting Micha? Król <<a
                            href="mailto:m.krol@ucl.ac.uk" class=""
                            moz-do-not-send="true">m.krol@ucl.ac.uk</a>>:<br
                            class="">
                          <br class="">
                          <blockquote type="cite" class="">Dear all,<br
                              class="">
                            <br class="">
                            I'm struggling with setting up a simple
                            trust/security system in NDN. I<br class="">
                            find it difficult to find an updated set
                            information that will work for<br class="">
                            all system components. Please correct me if
                            I misunderstood something.<br class="">
                            <br class="">
                            I have a very simple scenario: one producer
                            and one consumer on one<br class="">
                            machine. I want to have a central entity
                            (root) and a publisher<br class="">
                            (publisher) that will be allowed to publish
                            trusted content.<br class="">
                            <br class="">
                            I first create the root certificate using
                            ndnsec and selfsign it: /<br class="">
                            /<br class="">
                            <br class="">
                            /    ndnsec-key-gen -n /root//<br class="">
                            /<br class="">
                            <br class="">
                            /    ndnsec-sign-req /root > root.cert/<br
                              class="">
                            <br class="">
                            Next I create a certificate for the
                            publisher and sign it using the root<br
                              class="">
                            certificate:<br class="">
                            <br class="">
                            /   ndnsec-key-gen -n /root/publisher >
                            unsigned_publisher.cert//<br class="">
                            //   ndnsec-cert-gen -S 201510080000 -E
                            202010080000  -s /root -i<br class="">
                            /root/publisher -r unsigned_publisher.cert 
                            > publisher.cert/<br class="">
                            <br class="">
                            <br class="">
                            I then used the publisher identity to sign
                            the data:<br class="">
                            <br class="">
                            /    m_ident =
                            m_keyChain.createIdentity(Name("/root/publisher"));//<br
                              class="">
                            //    m_info =
                            ndn::security::SigningInfo(m_ident);/<br
                              class="">
                            <br class="">
                            /    m_keyChain.sign(*data, m_info);/<br
                              class="">
                            <br class="">
                            On the consumer side I use a validator to
                            validate data:<br class="">
                            <br class="">
                            /    m_validator->load("sample.cfg");/<br
                              class="">
                            <br class="">
                            /    m_validator->validate (data,//<br
                              class="">
                            //           
                            ndn::bind(&Consumer::onValidated, this,
                            _1),//<br class="">
                            //           
                            ndn::bind(&Consumer::onValidationFailed,
                            this, _1, _2));/<br class="">
                            <br class="">
                            <br class="">
                            I want to trust everything signed with the
                            publishers key. The<br class="">
                            sample.cfg is:<br class="">
                            <br class="">
                            /    rule//<br class="">
                            //    {//<br class="">
                            //      id "Sample Rule"//<br class="">
                            //      for data//<br class="">
                            //      filter//<br class="">
                            //      {//<br class="">
                            //        type name//<br class="">
                            //        name /root/publisher//<br class="">
                            //        relation is-prefix-of//<br
                              class="">
                            //      }//<br class="">
                            //      checker//<br class="">
                            //      {//<br class="">
                            //        type hierarchical//<br class="">
                            //        sig-type rsa-sha256//<br class="">
                            //      }//<br class="">
                            //    }//<br class="">
                            //<br class="">
                            //    trust-anchor//<br class="">
                            //    {//<br class="">
                            //      type file//<br class="">
                            //      file-name "root.cert"//<br class="">
                            //    }/<br class="">
                            <br class="">
                            <br class="">
                            Now, when I launch the consumer, it issues
                            an interest, gets the data,<br class="">
                            issues another interest to get the key<br
                              class="">
(/root/publisher/KEY/4%05i%7E%3C%F6%87%2F/%FD%00%00%01_%25%8Bz%80), but<br
                              class="">
                            ends up with an error:<br class="">
                            <br class="">
                            /    Malformed certificate (Name does not
                            follow the naming convention<br class="">
                            for certificate). /<br class="">
                            <br class="">
                            <br class="">
                            My question is now, is it how I'm supposed
                            to do this? If yes, what's<br class="">
                            the problem here? If not, is there any
                            example tutorial, walking through<br
                              class="">
                            the all steps of managing trust in NDN
                            (ndnsec, app, validator)?<br class="">
                            <br class="">
                            Thanks in advance,<br class="">
                            <br class="">
                            Micha?<br class="">
                            <br class="">
                            <br class="">
                          </blockquote>
                          <br class="">
                          <br class="">
                          <br class="">
-------------------------------------------------------------------------------<br
                            class="">
                          This message was sent using EURECOM Webmail: <a
                            href="http://webmail.eurecom.fr" class=""
                            moz-do-not-send="true">
                            http://webmail.eurecom.fr</a><br class="">
                          <br class="">
_______________________________________________<br class="">
                          Ndn-interest mailing list<br class="">
                          <a
                            href="mailto:Ndn-interest@lists.cs.ucla.edu"
                            class="" moz-do-not-send="true">Ndn-interest@lists.cs.ucla.edu</a><br
                            class="">
                          <a class="moz-txt-link-freetext"
                            href="http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest"
                            moz-do-not-send="true">http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest</a><br
                            class="">
                        </div>
                      </blockquote>
                    </div>
                    <br class="">
                  </blockquote>
                  <br>
                </blockquote>
                <br>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>