[Nfd-dev] Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Zhiyi Zhang zhiyi at cs.ucla.edu
Fri Oct 5 13:21:29 PDT 2018 

We don't need to put the hint into the keylocator and change the Data
packet format.
Instead, we can add an extension TLV into the SignatureInfo part, e.g.,
http://named-data.net/doc/ndn-cxx/current/specs/certificate-format.html#additionaldescription,
and put the forwarding hint information there.

We can mention this in the ndncert documentation.

Best,
Zhiyi

On Fri, Oct 5, 2018 at 11:44 AM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Zhiyi
>
> Certificate publishing question: it seems that the certificates issued
>>>> from your CA is not published into the testbed, as I’m unable to retrieve
>>>> them by expressing an Interest of the certificate name with CanBePrefix. In
>>>> ndncert-legacy, the CA publishes every certificate it ever issued, and the
>>>> Relying Party can just refer to them with a KeyLocator. In new ndncert
>>>> system, who is expected to publish the certificates, CA or Replying Party
>>>> (client)?
>>>>
>>>
>> NDNCERT already support the repo-ng, which means the NDNCERT server can
>> publish all the issued certificates into the repo.
>> To solve the name issue (e.g., let /ndn/edu/ucla/CA serve
>> /ndn/edu/ucla/zhiyi/KEY/...), we can have a forwarding hint to forward the
>> request to the /ndn/edu/ucla and get the certificate from the repo. (repo's
>> registered prefix is not exposed to the testbed)
>>
>
> When a verifier V needs to retrieve a certificate, the only information V
> has is the KeyLocator. For example:
> <KeyLocator>
>   <Name>
>
> /ndn/edu/arizona/cs/shijunxiao/KEY/%FE%A6%A6%12r%9F%DE%A5/NA/%FD%00%00%01b%28%C6%91%1F
>   </Name>
> </KeyLocator>
> V is unable to infer the ForwardingHint needed for retrieving the
> certificate, because it does not know how many components are in the CA
> prefix.
>
> One obvious solution is to include forwarding hint in the KeyLocator:
> <KeyLocator>
>   <Name>
>
> /ndn/edu/arizona/cs/shijunxiao/KEY/%FE%A6%A6%12r%9F%DE%A5/NA/%FD%00%00%01b%28%C6%91%1F
>   </Name>
>   <ForwardingHint>
>     <Delegation>
>       <Preference>0</Preference>
>       <Name>/ndn/edu/arizona</Name>
>     </Delegation>
>   </ForwardingHint>
> </KeyLocator>
> but this requires changing the packet format, and possibly the certificate
> format as well because the signer needs to know what forwarding hint to put
> into the KeyLocator.
>
> Yours, Junxiao
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20181005/dc9da029/attachment.html>

More information about the Nfd-dev mailing list