[Nfd-dev] KEY in certificate names

Wed Mar 30 14:14:45 PDT 2016

Thanks! this clarifies a bit…

i think it’s a good time to ask of the “canonical” way applications should behave in terms of generating certificates/identities.

here’s how I see it now (with the example of user “mrfoo” form remap institution):

• User gets testbed certificate (which reflects her identity - can I say that?):
–/ndn/edu/ucla/remap/mrfoo
• his public key is:
–/ndn/edu/ucla/remap/mrfoo/ksk-12345…

• user launches app for the first time and (based on user’s identity) it generates “app identity” for signing instance certificates:
–/ndn/edu/ucla/remap/mrfoo/ndncon
• app’s public key and certificate:
–/ndn/edu/ucla/remap/mrfoo/ndncon/ksk-<timestamp>
–/ndn/edu/ucla/remap/mrfoo/ndncon/KEY/ksk-<timestamp>/ID-CERT

• app uses app certificate to create an “instance identity”:
–/ndn/edu/ucla/remap/mrfoo/ndncon/instance<timestamp>
• app instance public key and cert:
–/ndn/edu/ucla/remap/mrfoo/ndncon/instance<timestamp>/dsk-<timestamp>
–/ndn/edu/ucla/remap/mrfoo/ndncon/instance<timestamp>/KEY/dsk-<timestamp>/ID-CERT

• app instance registers prefix and serves data under this prefix:
–/ndn/edu/ucla/remap/mrfoo/ndncon/instance<timestamp>

• app’s data packets are signed with instance certificate and keylocator is:
–/ndn/edu/ucla/remap/mrfoo/ndncon/instance<timestamp>/KEY/dsk-<timestamp>/ID-CERT

• app adds instance certificate to its’ memory content cache so that it can answer incoming interests with keylocator name

looking forward for your feedback.

Thanks,

--
Peter Gusev

peter at remap.ucla.edu<mailto:peter at remap.ucla.edu>
+1 213 5872748
peetonn_ (skype)

Software Engineer/Programmer Analyst @ REMAP UCLA

Video streaming/ICN networks/Creative Development

On Mar 30, 2016, at 2:02 PM, Junxiao Shi <shijunxiao at email.arizona.edu<mailto:shijunxiao at email.arizona.edu>> wrote:

Hi Peter

KeyLocator Name field typically contains the certificate name minus the version number. A verifier should express an Interest with that name to retrieve the certificate.
Version number is excluded because there could be multiple certificate versions of the same key.

Having multiple certificate versions of the same key is useful in case of a site certificate rollover.
Suppose I own key pair K1, and my certificate C1 is signed by Arizona's certificate A1. Later A1 expires, and is replaced by a new key and new certificate A2. I can have Arizona sign my same public key K1 into my certificate C2. C1 and C2 will have same name except different version numbers. Since both C1 and C2 refer to the same key pair K1, all my old and new Data can be verified with C2 which is signed by an unexpired certificate A2.

Yours, Junxiao

On Wed, Mar 30, 2016 at 1:51 PM, Gusev, Peter <peter at remap.ucla.edu<mailto:peter at remap.ucla.edu>> wrote:
every data packet signed with my certificate has a keylocator.
question - a Keylocator is a name of certificate (or public key)?
does consumer uses keylocator as-is to issue interest with corresponding name?

Thanks,

--
Peter Gusev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20160330/f67d9992/attachment.html>