<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 23, 2017, at 4:03 PM, Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" class="">shijunxiao@email.arizona.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">Hi Alex<br class=""><br class=""></div><div class="">As I understand:<br class=""><ol class=""><li class="">The certificate obtained from ndncert system is held in NFD's KeyChain.</li><li class="">App can choose to request a sub-certificate of the certificate in (1) via identity manager API.</li></ol></div><div class="">Is the above understanding accurate?<br class=""></div></div></div></blockquote><div><br class=""></div><div>1. Yes, but I rephrase it a bit. A certificate that is obtained from the outside the phone authority using ndncert protocol can be managed by the KeyChain that belong to NFD Android. It is not a requirement, rather a convenience option. Applications may obtain and manage certificates directly from an outside authority if they want so.</div><div><br class=""></div><div>2. Yes. This API can be a version of ndncert protocol (for Android specifically, it can be based on Intents instead of direct interest/data exchanges).</div><div><br class=""></div><div>At the same time, for the basic usage, what you mention are correct. Just those are not the set in stone ways of managing trust on devices.</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><br class="">I wonder:<br class=""><ul class=""><li class="">Which package is responsible for publishing the sub-certificate in (2)? NFD-Android or the app?</li></ul></div></div></div></blockquote><div>Could be both.</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><ul class=""><li class="">What's the user experience of app requesting a sub-certificate through identity manager API? Does it involve user confirmation, or is it fully automated?<br class=""></li></ul></div></div></div></blockquote><div>It has to involve user confirmation, at least for the initial certificate request. Zhiyi has implemented a version for similar operations in the command line version of ndncert daemon/client and we need to realize it in Android environment. This can be as simple as "approve"/"reject" or require entering a PIN code.</div><div><br class=""></div><div>-</div><div>Alex</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class="gmail_extra">Yours, Junxiao<br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Jul 19, 2017 at 4:53 AM, Alex Afanasyev <span dir="ltr" class=""><<a href="mailto:aa@cs.fiu.edu" target="_blank" class="">aa@cs.fiu.edu</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> How do Android apps communicate with NFD in the NDN app? I suppose apps on Android are sandboxed similarly to iOS (is this wrong?) and not sure how my app would create a unix socket connection with NFD. Likewise, how the app would access the keychain? (disclaimer: my app uses NDN-CPP)<br class="">
<br class="">
</span>App to NFD via localhost TCP socket.<br class="">
<br class="">
NFD's and Apps Keychain not shared (and should not). The identity manager that (will be) built into NFD android will be responsible for maintaining "user" specific identities, apps can either maintain completely independent identities or derived from user ones via the identity manager API.<br class=""><br class=""></blockquote></div></div></div></div></div>
</div></blockquote></div><br class=""></body></html>