<div dir="ltr"><div>Hi Junxiao,</div><div><br></div><div>Thanks for the quick response.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 8, 2021 at 4:43 PM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Zhiyi</div><div><br></div><div>Thanks for finishing the deployment, but you could have announced it earlier.<br></div><div><br></div><div>I found three problems so far.</div><div>These problems are relevant to the latest protocol revision:<br></div><div><a href="https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-0.3/46700d99c67dc94d13d26f838e4594f1f66d7c76" target="_blank">https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-0.3/46700d99c67dc94d13d26f838e4594f1f66d7c76</a></div><div><br></div><div><font size="4">Wrong naming convention</font></div><div>The protocol requires the version and segment component to use 2019 naming convention: the terminology section links to TR-0022 rev2.</div><div>However, the RDR server is returning a version number in 2014 naming convention.</div><div><span style="font-family:monospace">$ ndnpeek -Pf /ndn/CA/INFO/32=metadata | ndn-dissect<br>6 (Data) (size: 179)<br> 7 (Name) (size: 40)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]<br> 8 (GenericNameComponent) (size: 2) [[CA]]<br> 8 (GenericNameComponent) (size: 4) [[INFO]]<br> 32 (KeywordNameComponent) (size: 8) [[metadata]]<br> 8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E4%90%7C%E1]]<br> 8 (GenericNameComponent) (size: 2) [[%00%00]]<br> 20 (MetaInfo) (size: 3)<br> 25 (FreshnessPeriod) (size: 1) [[%0A]]<br> 21 (Content) (size: 28)<br> 7 (Name) (size: 26)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]<br> 8 (GenericNameComponent) (size: 2) [[CA]]<br> 8 (GenericNameComponent) (size: 4) [[INFO]]<br><span style="background-color:rgb(255,255,0)"> 8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]<br></span> 22 (SignatureInfo) (size: 27)<br> 27 (SignatureType) (size: 1) [[%03]]<br> 28 (KeyLocator) (size: 22)<br> 7 (Name) (size: 20)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]<br> 8 (GenericNameComponent) (size: 3) [[KEY]]<br> 8 (GenericNameComponent) (size: 8) [[e%9D%7F%A5%C5%81%10%7D]]<br> 23 (SignatureValue) (size: 71)<br> 48 (RESERVED_1) (size: 69)<br> 2 (ParametersSha256DigestComponent) (size: 32) [[%02%9Cy%D6%3A%D3%B1%03%DC%B8%95%12%F6%3C%8A%85%B2%D7%BB%E2l%2B%B6%00%1A%BA%E8N%5B%D5%17%8D]]<br> 2 (ParametersSha256DigestComponent) (size: 33) [[%00%81%82%EB%A5%B2%C1%F50t%8B%B5%07%1E%05%E7%F5%80%1E%2C%EB%EF%3C%9E%5B%D8%80%2C_%92%F8%CC%18]]</span></div></div></blockquote><div><br></div><div>Oh, we didn't notice there is a new version for RDR. </div><div>Maybe this reflects we also need to update the online doc (I remembered we follow the spec on Redmine).</div><div>Will fix this.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div><br></div><div><font size="4">FinalBlockId field missing in CA profile</font></div><div>The protocol requires that the CA profile is versioned and segmented, and must be compatible with RDR protocol.</div><div>This requirement implies that the last segment of the CA profile must carry a FinalBlockId field that contains a value equaling the last component.</div><div>However, the CA profile packet does not have this field.</div><div><span style="font-family:monospace">$ ndnpeek /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect | head<br>6 (Data) (size: 769)<br> 7 (Name) (size: 30)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]<br> 8 (GenericNameComponent) (size: 2) [[CA]]<br> 8 (GenericNameComponent) (size: 4) [[INFO]]<br> 8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]<br> 8 (GenericNameComponent) (size: 2) [[%00%00]]<br><span style="background-color:rgb(255,255,0)"> 20 (MetaInfo) (size: 4)<br> 25 (FreshnessPeriod) (size: 2) [[%03%E8]]<br></span> 21 (Content) (size: 625)</span></div></div></blockquote><div><br></div><div>Right.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div><font size="4">Inconsistency in ca-prefix</font></div><div>In the protocol, section 2.1.2 gives this example:</div><div><span style="font-family:monospace">T:Content, L, V:<br><span style="background-color:rgb(255,255,0)"> T:ca-prefix, L, V:"/ndn/CA"<br></span> T:ca-info, L, V:"NDN Testbed CA"</span></div><div><br></div><div>However, the ca-prefix field in the retrieved CA profile lacks the "/CA" component.</div><div><span style="font-family:monospace">$ ndnpeek -p /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect | head<br>129 (APP_TAG_1) (size: 7)<br><span style="background-color:rgb(255,255,0)"> 7 (Name) (size: 5)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]<br></span>131 (APP_TAG_1) (size: 22) [[NDN%20Trust%20Anchor%3A%20%2Fndn]]<br>133 (APP_TAG_1) (size: 5) [[email]]<br>139 (APP_TAG_1) (size: 4) [[%00%13%C6%80]]<br>137 (APP_TAG_1) (size: 575)<br> 6 (Data) (size: 571)<br> 7 (Name) (size: 36)<br> 8 (GenericNameComponent) (size: 3) [[ndn]]</span><br></div><div><br></div><div>However, this is probably an error in the protocol write-up.</div><div>If ca-prefix is supposed to contain the "CA" component, the packet names such as <span style="font-family:monospace">/<CA-prefix>/CA/NEW/<ParametersSha256Digest></span> would have two "CA" components.<br></div><div>If this is the case, please update the example in the protocol write-up.<br></div></div></blockquote><div><br></div><div>Yeah. The ca-prefix should not contain CA component. CA is added by the NDNCERT protocol.</div><div>The example in the spec needs to be fixed.</div><div><br></div><div>Best,</div><div>Zhiyi</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div><br></div><div>Yours, Junxiao<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 8, 2021 at 5:25 PM Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu" target="_blank">zhiyi@cs.ucla.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p style="text-align:center"><font color="red"><b>External Email</b><br></font></p><div dir="ltr">Hi Junxiao,<div><br></div><div>Yeah. It has been running and it supports both PIN code challenge and email challenge.</div><div><br></div><div>I just applied a cert on my laptop (MacOS) from Suns server.</div><div>Since now we support RDR discovery and fetch of CA profile, so we don't need to pre-config the client. Instead, in the step 2, type in the CA name that you want to contact, and in step 2, check the certificate information (the one shown below is a valid cert).</div><div><br></div><div>➜ ~ ndncert-client<br>***************************************<br>Step 1: CA SELECTION<br>> Index: 0<br>>> CA prefix:/example<br>>> Introduction: An example NDNCERT CA<br>Please type in the CA's index that you want to apply or type in NONE if your expected CA is not in the list:<br>none<br><br>***************************************<br>Step 2: ADD NEW CA<br>Please type in the CA's Name:<br>/ndn<br><br>***************************************<br>Step 2: Will use a new trust anchor, please double check the identity info:<br>> New CA name: /ndn<br>> This trust anchor information is signed by: Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D<br>> The certificate: > The certificate: Certificate name:<br> /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B<br>Validity:<br> NotBefore: 20171220T001939<br> NotAfter: 20201231T235959<br>Additional Description:<br> fullname: NDN Testbed Root<br>Public key bits:<br> MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA<br> AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////<br> ///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd<br> NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5<br> RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA<br> //////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABAUIdqatSflni6u9XO2ZSmBA<br> +MjDwkx2RiPtCCLsm4oKVn2Jyfa/yOSgZseGqnTEdbN1rDWvlIgAmxI0MUXVM1g=<br>Signature Information:<br> Signature Type: SignatureSha256WithEcdsa<br> Key Locator: Self-Signed Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D</div><div><br>Do you trust the information? Type in YES or NO<br>yes<br>You answered YES: new CA /ndn will be used<br><br>***************************************<br>Step 3: Do you know your identity name to be certified by CA /ndn already? Type in YES or NO<br>no<br>You answered NO<br><br>***************************************<br>Step 4: Please provide information for name assignment<br>Please input: email<br><a href="mailto:zhangzhiyi1919@gmail.com" target="_blank">zhangzhiyi1919@gmail.com</a><br>Got it. This is what you've provided:<br>email : <a href="mailto:zhangzhiyi1919@gmail.com" target="_blank">zhangzhiyi1919@gmail.com</a><br><br>***************************************<br>Step 5: You can either select one of the following names suggested by the CA:<br>> Index: 0<br>>> Suggested name: /ndn/zhangzhiyi1919%<a href="http://40gmail.com" target="_blank">40gmail.com</a><br>>> Corresponding Max sufiix length: 2<br><br>Or choose another trusted CA suggested by the CA:<br>Please type in the index of your choice:<br>0<br>You selected name: /ndn/zhangzhiyi1919%<a href="http://40gmail.com" target="_blank">40gmail.com</a><br>Enter Suffix if you would like one (Enter to skip):<br><br>***************************************<br>Step 6: Please type in your expected validity period of your certificate. Type the number of hours (168 for week, 730 for month, 8760 for year). The CA may reject your application if your expected period is too long.<br>100<br>The validity period of your certificate will be: 100 hours<br><br>***************************************<br>Step 7: CHALLENGE SELECTION<br>> Index: 0<br>>> Challenge:email<br>> Index: 1<br>>> Challenge:pin<br>Please type in the challenge index that you want to perform:<br>0<br>The challenge has been selected: email<br><br>***************************************<br>Step 8: Please provide parameters used for Identity Verification Challenge<br>Please input your email address<br><a href="mailto:zhangzhiyi1919@gmail.com" target="_blank">zhangzhiyi1919@gmail.com</a><br>Got it. This is what you've provided:<br>email : <a href="mailto:zhangzhiyi1919@gmail.com" target="_blank">zhangzhiyi1919@gmail.com</a><br><br>***************************************<br>Step 8: Please provide parameters used for Identity Verification Challenge<br>Please input your verification code<br>537720<br>Got it. This is what you've provided:<br>code : 537720<br>Certificate has already been issued, downloading certificate...<br><br>***************************************<br>Step 8: DONE<br>Certificate with Name: /ndn/zhangzhiyi1919%<a href="http://40gmail.com/KEY/%9B%93%17L%81%11%7C%AE/NDNCERT/725316137953299380has" target="_blank">40gmail.com/KEY/%9B%93%17L%81%11%7C%AE/NDNCERT/725316137953299380has</a> already been installed to your local keychain<br>Exit now%<br></div><br></div></blockquote></div></div>
</blockquote></div></div>