[Nfd-dev] KEY in certificate names
shijunxiao at email.arizona.edu
Wed Mar 30 13:40:44 PDT 2016
The KeyChain is organized in three levels: identity - key - certificate.
An identity name is user specified. An identity requested through ndncert
system is derived from your email address.
A key name is the identity name plus an arbitrary component, which usually
starts with "ksk-" or "dsk-".
A certificate name is the key name with a "KEY" inserted at somewhere
before the last component, and appended with "ID-CERT". A certificate
requested through ndncert system has its "KEY" component inserted after the
institution's site prefix but before user's email username. A certificate
signed through other means can have its "KEY" component appear elsewhere.
When #3568 turns off nfd-autoreg for site prefix, as indicated in the
"implication" of that issue, only those certificates requested through
ndncert system would be usable with automatic prefix propagation.
These certificates are published in a repository running on the gateway
router. That repository has a prefix registration like
/ndn/edu/arizona/KEY, so that it can receive Interests asking for the
certificate of a user. The main reason for having the "KEY" component after
the institution's site prefix is to enable such a repository to register
this prefix and receive Interests for certificates but not other Interests.
> On Mar 30, 2016, at 12:21 PM, Thompson, Jeff <jefft0 at remap.ucla.edu>
> Hi Peter,
> I’m looking at the list of test bed certificates:
> It seems that everyone’s certificate name has KEY in a weird place. For
> Have you talked with the NFD team about this? Will it cause a problem with
> automatic prefix propagation in NdnCon?
> - Jeff T
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Nfd-dev