[ndnSIM] Need for Multiple Trust schemas ?

Andre Madureira andreluizromanomadureira at gmail.com
Sun Apr 13 08:01:51 PDT 2025 

Dear Lixia,

Thanks you for such a promptly and precise reply.

My understanding from the Intertrust paper (please correct me if I'm wrong)
is that if I have two apps (/appA and /appB), each with their own trust
anchors (Za and Zb) and trust schemas, appA can consume packets from appB
if Za signs Zb (resulting in a certificate Zb'). But after that I didn't
understand how the solution would work .

That is, if appA retrieve a data packet /appB/some_suffix, it can verify
it's KeyLocator field to validate the certificate used to sign the data
packet. However, that validation process requires the appB schema rules to
work. How would that be implemented in Intertrust solution?

>From what I could deduce, appA has two approaches to the appB validation
rules retrieval problem: I) retrieve the appB trust schema (or a subset of
it, managed by appB zone controller) , or ii) embed appB rules (in entirety
or as a subset, defined by the appB zone controller) inside appA trust
schema.

The first solution implies that appA nodes can use two schemas to validate
data packets (the appA schema, and the subset of appB schema). However I do
not know if that is feasible in current NDN architecture.

The other solution would imply mutating appA schema to contain a subset of
the validation rules from appB. In that case, for each trust zone, we would
need to have a new version of the appA schema, containing the exported appB
validation rules.

I really don't know what approach was originally thought for Intertrust
implementation.

Any ideas or insights will be highly appreciated.

Best regards,

André Luiz Romano Madureira

Em sáb., 12 de abr. de 2025, 22:11, Lixia Zhang <lixia at cs.ucla.edu>
escreveu:

> If /appX and /appY do not have a shared trust anchor, the two are in two
> different trust domains.
>
> Verification across trust domains requires the establishment of security
> relations between the demains. Please see an early exploration on this
> issue"
> "Intertrust: establishing inter-zone trust relationships"
> https://dl.acm.org/doi/abs/10.1145/3517212.3559489
>
> Lixia
>
> On Apr 12, 2025, at 1:26 PM, Andre Madureira via ndnSIM <
> ndnsim at lists.cs.ucla.edu> wrote:
>
>
> Hello everyone,
>
> I was currently working on an NDN App ( */appX *) that needs to consume
> data produced in another App ( */appY *). They both have their own trust
> schemas, with their own rules and certificate chains.
>
> The issue I'm facing is how to validate data produced in the "*/appY"* zone
> inside the application "*/appX"*, if they have distinct trust schemas?
>
> That is, */appX *consumes data produced within the name hierarchy of
> */appY.*
> How *appX* can validate those data packets created within *appY *?
>
> Thanks in advance for any insights provided.
>
> Best regards,
>
> André Luiz Romano Madureira
> _______________________________________________
> ndnSIM mailing list
> ndnSIM at lists.cs.ucla.edu
> https://www.lists.cs.ucla.edu/mailman/listinfo/ndnsim
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndnsim/attachments/20250413/2fdad479/attachment.htm>

More information about the ndnSIM mailing list