[Nfd-dev] NDNCert

Zhiyi Zhang zhiyi at cs.ucla.edu
Thu Feb 13 11:51:37 PST 2020 

Hi John,

Thank you for your attention.

On Thu, Feb 13, 2020 at 7:47 AM Dehart, John <jdd at wustl.edu> wrote:

> Zhiyi,
>
> Something that would be helpful for me to understand the NDNCert protocol
> and
> how it will operate is if we could have a detailed walkthrough of an
> example of
> how it would work on the NDN Testbed.
>
>  I envision it would be something like this but I am probably missing
> parts or have some
> things wrong:
>
> 1. Create root self-signed cert on UCLA node.
> 2. Run Root NDN Testbed CA on UCLA node using root self signed cert
> 3. On each NDN Testbed node:
>      a. Create node prefix based ndnsec key pair
>

This step will automatically be done by NDNCERT.


>      b. Request cert from Root NDN Testbed CA at UCLA
>      c. Run node prefix based CA for this nodes namespace
> 4. Users wanting a cert within an NDN Testbed node's namespace request it
> from that node’ CA
>

There is no problem here.
Something to add:
In your example, the UCLA node is the root node (root node CA can be hosted
by any testbed node). then I think UCLA will own two CA instances. One is
the root CA, i.e., /ndn/CA and the other is UCLA's CA, i.e.,
/ndn/edu/ucla/CA


> Given that kind of scenario, what would be the protocol messages,
> challenges, email exchanges, etc
> that would be required.
>

My suggestion is to use PIN code for site CAs to get certificates from the
root CA, which means root CA only accepts PIN code challenge.
Regarding normal CA, I think using email and PIN code challenges is
sufficient.


>
> This may not fit into todays conf call but it would be something to have
> before we are ready to
> deploy on the NDN Testbed.
>

You are absolutely right.
I think the ndn-dev call need to cover following topics:
1. CA names
2. repo deployment
3. mapping from an email address to an NDN name
4. what challenges to use for different types of CAs (root CA, site CA)

Best,
Zhiyi


> John
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200213/a75ff8ff/attachment.html>

More information about the Nfd-dev mailing list