[Nfd-dev] [EXT]Re: Update on NDNCERT protocol

Zhiyi Zhang zhiyi at cs.ucla.edu
Tue Apr 14 11:37:14 PDT 2020 

On Tue, Apr 14, 2020 at 5:05 AM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Zhiyi
>
> Comments on revision 99ed1b3.
>
>
> *Terminology*"the TLV encoding of integer, string, and bytes all follow
> NDN TLV encoding", but none of these encodings is specified on the linked
> page.
> This is the fourth time I point out the same problem, and it's still not
> fixed.
>

Sorry for overlooking this. Fixed this time.


>
>
> In "we call /example/alice a child namespace", "child" should be "sub",
> because there's only definition of "sub namespace" and "child namespace"
> was never defined.
>

Fixed.


>
> "SignatureTimeStamp" should be "SignatureTime".
>

Fixed.

>
> * All strings are specified as UTF 8 encoded
>>
> This should appear in the Terminology section. Other sections do not need
> to repeat "UTF-8".
>

Added

>
> *CA profile*
> "The profile is kept in a Data packet" is inaccurate, because the CA
> profile could be segmented.
> It should say: The CA profile is published in Data packets as a segmented
> object following NDN naming conventions.
>

Changed.


>
> "A CA INFO Data packet" should be "CA profile Data packets".
>

Fixed.

>
> *PROBE step*
> In the example, URI representation of ParametersSha256DigestComponent is
> incorrect.
> In the example, Data name does not satisfy Interest name.
>

Updated.


>
> *NEW step*
> "cert-request.NotBefore >= Max(NOW, ca-certificate.NotBefore)" is
> problematic.
> Assuming requester and issuer has synchronized clocks:
>
>    1. Requester generates a cert-request at 08:00:01 UTC. Normally, the
>    requester would put 08:00:01 as NotBefore.
>    2. Issuer receives the NEW request at 08:00:02 UTC. According to the
>    above rule, this NEW request is invalid.
>
> To workaround this issue, the requester would have to increment NotBefore
> to account for network latency, which complicates requester implementation.
> I'd suggest relaxing this rule to "cert-request.NotBefore >= Max(NOW -
> 60s, ca-certificate.NotBefore)", so that the requester does not have to
> increment NotBefore.
> Moreover, it's necessary to specify that timestamp rules are checked while
> the issuer processes a NEW request, and it is not checked while issuing a
> certificate.
>

I made it 120_s which confirms the grace period used in v0.2 implementation.


>
> "The L should be 12 bytes (128 bit)" is inconsistent. 12 bytes = 96 bits.
> 128 bits = 16 bytes.
>

Fixed.

Best,
Zhiyi


>
> Yours, Junxiao
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200414/ebd210c4/attachment.html>

More information about the Nfd-dev mailing list