<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On May 2, 2020, at 8:52 AM, Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" class="">shijunxiao@email.arizona.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">Hi Lixia</div><div class="">It's great to get your answer, instead of telling me to shut up.<br class=""></div></div></div></blockquote><div><br class=""></div>One is welcome to bring real issues to the talks. </div><div>One should shutup when he/she blocks everyone else and disrupts meeting agendas.<br class=""><div class=""><div dir="ltr" class=""><div class=""><br class=""></div></div></div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="">The root certificate does not need to be maintained. It lasts for several years.</div><div class="">Current and historical root certificates can be seen here: <a href="https://named-data.net/ndn-testbed/" target="_blank" class="">https://named-data.net/ndn-testbed/</a></div></div></div></blockquote><div><br class=""></div>Even if that is the current practice (perhaps inherited from today's TCP/IP networks practice), it's not the proof of being the right practice.</div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="">Unretrievable root/site certificates will hinder the adoption of <i class="">certificate bundle</i>.<br class=""></div><div class=""><br class=""></div><div class="">For replication, I proposed a manual replication method, and it was approved on 20160630 NFD call. However, it's still not deployed.</div><div class=""><a href="https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html" target="_blank" class="">https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html</a></div><div class=""><br class=""></div><div class="">Yours, Junxiao<br class=""></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 2, 2020 at 11:48 AM Lixia Zhang <<a href="mailto:lixia@cs.ucla.edu" target="_blank" class="">lixia@cs.ucla.edu</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><p style="text-align:center" class=""><font color="red" class=""><b class="">External Email</b><br class=""></font></p>yes I believe the root cert should be published, and should be replicated in the repo of all testbed routers.<div class=""><br class=""><div class=""><div class=""><div class="">I think the question really is who is responsible for maintaining root cert (I do not know the current practice, but let me find out)</div><div class=""><br class=""></div><div class="">Lixia</div><div class=""><br class=""><blockquote type="cite" class=""><div class="">On May 2, 2020, at 8:31 AM, Junxiao Shi via Nfd-dev <<a href="mailto:nfd-dev@lists.cs.ucla.edu" target="_blank" class="">nfd-dev@lists.cs.ucla.edu</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class=""><div class="">Dear folks</div><div class=""><br class=""></div><div class="">I wonder whether the testbed root certificate should be published over NDN?</div><div class="">Which node(s) are responsible for publishing this certificate?<br class=""></div><div class=""><br class=""></div><div class="">Yours, Junxiao<br class=""></div><div class=""><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br class="">From: <b class="gmail_sendername" dir="auto">Junxiao Shi</b> <span dir="auto" class=""><<a href="mailto:shijunxiao@email.arizona.edu" target="_blank" class="">shijunxiao@email.arizona.edu</a>></span><br class="">Date: Sat, May 2, 2020 at 11:30 AM<br class="">Subject: Re: NDN Testbed Root certificate not published<br class="">To: <<a href="mailto:operators@lists.named-data.net" target="_blank" class="">operators@lists.named-data.net</a>> <<a href="mailto:operators@lists.named-data.net" target="_blank" class="">operators@lists.named-data.net</a>><br class=""></div><br class=""><br class=""><div dir="ltr" class=""><div dir="ltr" class="">

Hi NDNOPS<div class=""><br class=""></div><div class="">I notice that the "NDN Testbed <span class="">Root</span>" <span class="">certificate</span> cannot be retrieved over NDN.</div><div class=""><br class=""></div><div class="">From <a href="https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt" target="_blank" class="">https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt</a> I can see:</div><div class=""><div class=""><span class="">Certificate</span> name: <font face="monospace, monospace" class="">/ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B</font></div></div><div class=""><br class=""></div><div class="">However, I cannot retrieve the <span class="">certificate</span> over NDN.</div><div class="">To rule out potential connectivity problems, I'm running the commands on Arizona router.</div><div class=""><br class=""></div><div class=""><div class=""><font face="monospace, monospace" class="">shijunxiao@hobo:~$ <font color="#0000ff" class="">ndnpeek -V</font></font></div><div class=""><font face="monospace, monospace" class="">ndnpeek 0.7-1-g7d14815</font></div><div class=""><font face="monospace, monospace" class="">shijunxiao@hobo:~$ <font color="#0000ff" class="">ndnpeek -P
<font face="monospace, monospace" class="">/ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B</font>

</font></font></div><div class=""><font face="monospace, monospace" class="">shijunxiao@hobo:~$ <font color="#0000ff" class="">echo $?</font></font></div><div class=""><font face="monospace, monospace" class="">3</font></div><br class=""></div><div class="">The second command sets CanBePrefix flag with <span style="font-family:monospace,monospace" class="">-P</span>. There's no response to this Interest.</div><div class="">ndnpeek exit code is 3. In ndnpeek 0.7, this means InterestLifetime has timed out.</div><br class=""><div class=""><br class=""></div><div class="">Although <span class="">root</span> CA <span class="">certificate</span> retrieval is not a prerequisite of verifying packets, I still think the <span class="">root</span> <span class="">certificate</span> should be available over NDN.</div><div class=""><br class=""></div><div class="">Yours, Junxiao</div>



</div><br class=""></div></div></div></div></div></blockquote></div><br class=""></div></div></div></div></blockquote></div></div>
</div></blockquote></div><br class=""></body></html>