[Nfd-dev] Intended scope of client.conf
Burke, Jeff
jburke at remap.ucla.edu
Tue Aug 19 09:44:24 PDT 2014
Hi Yingdi,
Thanks for the reply – comments below.
Jeff
From: Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>>
Date: Tue, 19 Aug 2014 11:25:42 -0500
To: Jeff Burke <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>>
Cc: Alexander Afanasyev <alexander.afanasyev at ucla.edu<mailto:alexander.afanasyev at ucla.edu>>, Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>>, "nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>>
Subject: Re: [Nfd-dev] Intended scope of client.conf
Hi Jeff,
On Aug 18, 2014, at 4:35 PM, Burke, Jeff <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>> wrote:
So, the idea is that client.conf provides per-user configuration for NDN applications that gives the default keystore and mechanism for connecting to the local daemon. For now, the default keystore specified in this configuration must be used if an application wants to interact with the identities/keys manipulated by the ndnsec tools.
Is that the right way to state it?
This client.conf is the configuration file of ndn-cxx, so all apps (including ndnsec) compiled against ndn-cxx will use the keystore info in this file as the default configuration. If an app wants to access the identities/keys created through ndn-cxx, the paths in the conf file should be the right place to go.
Alex's Issue #1850<http://redmine.named-data.net/issues/1850> suggests a stronger idea - that client.conf is for all libraries / applications interacting locally with NFD/NRD. Is that correct?
- NFD and NRD use their own system-wide configuration file, not client.conf. The unix socket they use is defined in their nfd.conf file. But where is the keystore for the keys used by NFD and NRD, and how is it configured? I couldn't find this in the developers guide.
NFD and NRD are built against ndn-cxx, so they use the keystore info in the client.conf. We will clarify that in the dev guide.
I'm still not sure that I understand why NFD/NRD should use a user's ~/.ndn/client.conf for their identity, if they are system-wide services. This means that NFD and NRD will have different identities/signing keys on the same host if they are started by different users? Shouldn't the daemon's identities be stable per-host unless changed by the owner/operator?
- It is assumed that there is only one installation of NFD/NRD per host. So, shouldn't the socket configuration and protocol be per-host rather than per user? I understand that for convenience they may be in client.conf, but want to confirm...
We may have per-host config for socket, but for keystore info, it might be better to keep per-user configuration.
If NFD/NRD are system-wide services, what is the motivation for this? (If they always ran under their own user, and the keystore was that of the NFD "user" this would make sense to me. But, this is not the default behavior yet.)
perhaps their should be a client-default.conf in the same place as nfd.conf, and just override it from ~/.ndn/client.conf?
I think a client-default.conf is possible if we set user's home directory as the default path to keystore.
Yes, makes sense. I'm not sure it's necessary if the NRD/NFD identity issue is solved in a different way.
- There is an operator identity created by default at the time of installation of NFD/NRD. This seems to be associated with the user who installed the software. For NDN applications that run under other (non-root) users, is the idea that they can use their own client.conf settings, but the operator of the machine will need to authorize their key to sign things like prefix registration commands for the daemon?
Ideally yes, but command interest validation is turned off.
Yes, but hopefully not for long :)
It seems like there is a potential bottleneck here, where on a multi-user host the operator will need to manually sign each user's key before they can register prefixes, which is a basic part of NDN communication. Perhaps there should be an optional configuration mechanism available that automatically signs the keys of all authenticated users (who optionally are members of some group) on the host.
- Because it uses ndn-cxx, ndnsec manipulates the PIB/TPM for the current user, based on the settings in that user's client.conf. Is that correct? This may need to be clarified in the documentation. Also, ndnsec-list does not seem to take into account the TPM setting, it just lists all of the keys in the PIB for the user. Perhaps it could indicate which TPM they are stored in, to aid debugging?
ndn-cxx internally maintains the consistency between PIB and TPM. Right now ndn-cxx assumed that there is only one TPM for one PIB, so we do not list the TPM information for each key. But I think we may need the TPM info when PIB handles multiple TPMs at the same time.
Ok. This causes some problems with NFD/NRD and probably other applications in cases where you are experimenting with two different TPMs. See Bug #1889<http://redmine.named-data.net/issues/1889>.
Thanks!
Jeff
Yingdi
Thanks,
Jeff
From: Alex Afanasyev <alexander.afanasyev at ucla.edu<mailto:alexander.afanasyev at ucla.edu>>
Date: Mon, 18 Aug 2014 15:49:59 -0500
To: Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>>
Cc: Jeff Burke <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>>, "nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu<mailto:nfd-dev at lists.cs.ucla.edu>>
Subject: Re: [Nfd-dev] Intended scope of client.conf
On Aug 18, 2014, at 3:38 PM, Steve DiBenedetto <dibenede at cs.colostate.edu<mailto:dibenede at cs.colostate.edu>> wrote:
On Aug 18, 2014, at 2:25 PM, Burke, Jeff <jburke at remap.UCLA.EDU<mailto:jburke at remap.UCLA.EDU>> wrote:
Hi folks,
Is there any specification for the purpose and scope of client.conf. E.g., how it can be located, what can be specified there, and what code should pay attention to it?
I'm not aware of a full specification for the current client.conf. Here's the original client.conf redmine issue that covers file format, location, and some parameters: http://redmine.named-data.net/issues/1364 .
This is basically the spec. A new addition that was made long time ago was part of http://redmine.named-data.net/issues/1532 and is documented in http://redmine.named-data.net/projects/ndn-cxx/wiki/KeyChainConf
---
Alex
We need to consider how to handle this specification in the NDN-CCL libraries, and would prefer to work from a design specification rather than existing code in ndn-cxx. For code like ndn-js, it may not always apply, so we need to understand defaults and assumptions, too.
Please see:
http://redmine.named-data.net/issues/1850
Thanks,
Jeff
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140819/65012b31/attachment.html>
More information about the Nfd-dev
mailing list