[Nfd-dev] KEY in certificate names

Junxiao Shi shijunxiao at email.arizona.edu
Wed Mar 30 14:02:29 PDT 2016

Hi Peter

KeyLocator Name field typically contains the certificate name minus the
version number. A verifier should express an Interest with that name to
retrieve the certificate.
Version number is excluded because there could be multiple certificate
versions of the same key.

Having multiple certificate versions of the same key is useful in case of a
site certificate rollover.
Suppose I own key pair K1, and my certificate C1 is signed by Arizona's
certificate A1. Later A1 expires, and is replaced by a new key and new
certificate A2. I can have Arizona sign my same public key K1 into my
certificate C2. C1 and C2 will have same name except different version
numbers. Since both C1 and C2 refer to the same key pair K1, all my old and
new Data can be verified with C2 which is signed by an unexpired
certificate A2.

Yours, Junxiao

On Wed, Mar 30, 2016 at 1:51 PM, Gusev, Peter <peter at remap.ucla.edu> wrote:

> every data packet signed with my certificate has a keylocator.
> question - a Keylocator is a name of certificate (or public key)?
> does consumer uses keylocator as-is to issue interest with corresponding
> name?
> Thanks,
> --
> Peter Gusev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20160330/32b6883c/attachment.html>

More information about the Nfd-dev mailing list