<div dir="ltr"><div dir="ltr">We don't need to put the hint into the keylocator and change the Data packet format.<div>Instead, we can add an extension TLV into the SignatureInfo part, e.g., <a href="http://named-data.net/doc/ndn-cxx/current/specs/certificate-format.html#additionaldescription">http://named-data.net/doc/ndn-cxx/current/specs/certificate-format.html#additionaldescription</a>, and put the forwarding hint information there.</div><div><br></div><div>We can mention this in the ndncert documentation.</div><div><br></div><div>Best,</div><div>Zhiyi</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Oct 5, 2018 at 11:44 AM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Zhiyi<div><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div><div class="m_-1416029451221927813gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Certificate publishing question: it seems that the certificates issued from your CA is not published into the testbed, as I’m unable to retrieve them by expressing an Interest of the certificate name with CanBePrefix. In ndncert-legacy, the CA publishes every certificate it ever issued, and the Relying Party can just refer to them with a KeyLocator. In new ndncert system, who is expected to publish the certificates, CA or Replying Party (client)?</div></blockquote></div></div></blockquote><div><br></div></div></div><div>NDNCERT already support the repo-ng, which means the NDNCERT server can publish all the issued certificates into the repo.</div><div>To solve the name issue (e.g., let /ndn/edu/ucla/CA serve /ndn/edu/ucla/zhiyi/KEY/...), we can have a forwarding hint to forward the request to the /ndn/edu/ucla and get the certificate from the repo. (repo's registered prefix is not exposed to the testbed)</div><div></div></div></div></blockquote></div><br></div></div><div class="gmail_extra">When a verifier V needs to retrieve a certificate, the only information V has is the KeyLocator. For example:</div><div class="gmail_extra"><div class="gmail_extra"><font face="monospace, monospace"><KeyLocator></font></div><div class="gmail_extra"><font face="monospace, monospace"> <Name></font></div><div class="gmail_extra"><font face="monospace, monospace"> /ndn/edu/arizona/cs/shijunxiao/KEY/%FE%A6%A6%12r%9F%DE%A5/NA/%FD%00%00%01b%28%C6%91%1F</font></div><div><font face="monospace, monospace"> </Name></font></div><div><font face="monospace, monospace"></KeyLocator></font></div></div><div class="gmail_extra">V is unable to infer the ForwardingHint needed for retrieving the certificate, because it does not know how many components are in the CA prefix.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">One obvious solution is to include forwarding hint in the KeyLocator:</div><div class="gmail_extra">
<div class="gmail_extra" style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div class="gmail_extra"><font face="monospace, monospace"><KeyLocator></font></div>
<div class="gmail_extra" style="text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> <Name></font></div><div class="gmail_extra" style="text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> /ndn/edu/arizona/cs/shijunxiao/KEY/%FE%A6%A6%12r%9F%DE%A5/NA/%FD%00%00%01b%28%C6%91%1F</font></div><div style="text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> </Name></font></div><div><font face="monospace, monospace"><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> <ForwardingHint></font></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> <Delegation></font></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> <Preference>0</Preference></font></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> <Name>/ndn/edu/arizona</Name></font></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><font face="monospace, monospace"> </Delegation></font></div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:small;text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:monospace,monospace"> </</span><span style="font-family:monospace,monospace">ForwardingHint</span><span style="font-family:monospace,monospace">></span><br></div></KeyLocator></font></div></div>but this requires changing the packet format, and possibly the certificate format as well because the signer needs to know what forwarding hint to put into the KeyLocator.<br class="m_-1416029451221927813gmail-Apple-interchange-newline">
<br></div><div class="gmail_extra">Yours, Junxiao</div></div></div>
</blockquote></div>