[Ndn-interest] limit the scope of trust-anchor in trust schema

[Nikos Fotiou]

Both resources are very helpful. I was looking for something like that.

Thanks a lot,

Nikos

Στις 2024-01-15 23:07, Lixia Zhang έγραψε:

> On Jan 14, 2024, at 11:25 PM, fotiou at aueb.gr wrote:
> 
> Hi Lixia, all
> 
> yes all trust anchors have limited scope, and different trust domains 
> have different trust anchors.
> 
> My question is about limiting the scope of a trust anchor within a 
> domain.
> E.g., in ndn testbed, would be possible to use different trust anchors 
> for /ndn/edu/Arizona and for /ndn/edu/Memphis?

I could offer 2 explanations here:

1/ as illustrated in an old TR from 2018,
"An Overview of Security Support in Named Data Networking"
https://named-data.net/wp-content/uploads/2018/07/ndn-0057-4-ndn-security.pdf

you could see that even under the same high level namespace (/ndnfit), 
/ndnfit/Alice has its own trust anchor (you could lookup the TR for more 
details). This TR is from 6 years back.  We are working on a revision 
now, one of the things is to add the trust domain concept to it.

2/ The testbed trust model: it was put together more than 10 years back. 
Over that time we gained much better understanding about security/trust 
models. There has been a plan to change it to a multicampus 
collaborative/peer model, i.e. each site sets up its own trust anchor 
(as your msg suggested).  As an example, see ACM ICN 2022 poster 
"Intertrust: establishing inter-zone trust relationships"
https://dl.acm.org/doi/abs/10.1145/3517212.3559489
(we replaced "trust zone" with "trust domain", to avoid potential 
confusion with tpm trustzone)
But we are yet to get some manpower to change the testbed to multiple 
trust domain models (we are looking for help!)

Lixia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20240115/db6f5cfd/attachment.html>