[Nfd-dev] Understanding nfd's trust model
Junxiao Shi
shijunxiao at email.arizona.edu
Sun Mar 30 11:58:46 PDT 2014
Hi Tai-Lin
NFD trust model is *limited to management*, and does not apply to packets
being forwarded.
NFD Management trust model is very simple: any and all keys to be trusted
must be statically configured in the configuration file.
NFD Management is unable to support any "trust chain", because:
- Trust chain requires retrieving public keys over the network. To
retrieve keys over the network, a correct FIB is needed.
- ControlCommands are used to setup the FIB.
- To validate the ControlCommands, NFD needs the keys in the trust chain.
This is a circular dependency. To break this circle, we decide to require
statically configured keys.
It's not a big limitation for NFD Management to require statically
configured keys, because NFD Management can be used from localhost only,
and very limited entities can interact with NFD Management via
ControlCommand:
- configuration tools: nfdc
- control plane: NRD
Although ndn-cpp-dev has a ndn::nfd::Controller class that allows apps to
interact with NFD Management via ControlCommand, this class is intended to
be used by nfdc only.
Regular apps register prefixes with NRD. NRD can and should support more
flexible trust model, including but not limited to a trust chain.
Yours, Junxiao
On Sun, Mar 30, 2014 at 11:44 AM, Tai-Lin Chu <tailinchu at gmail.com> wrote:
> hi,
> I discovered [this doc](
> http://irl.cs.ucla.edu/~yingdi/web/pub/Trust-Management-Library-v4.pdf)
>
> questions:
> 1. does nfd treat the default.ndncert as root key?
>
> 2. If so, does it mean that the keylocator's name of this cert is not used?
>
> 3. If I want to express the signing chain, do I simply add required key to
> that cert dir and nfd will verify the chain?
>
> e.g.
> simple: default.cert --(sign)-> data
> chain: default.cert --(sign)-> other.cert --(sign)-> data
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20140330/3499f230/attachment.html>
More information about the Nfd-dev
mailing list