[Nfd-dev] Update on NDNCERT protocol
Junxiao Shi
shijunxiao at email.arizona.edu
Tue Mar 3 09:34:45 PST 2020
Hi Zhiyi
1. sec 2.1.2 why we need version + segment components? I understand the use
> of version component but why bother segment component? What's the benefit
> of using these two rather than timestamp?
>
Having a segment component is future proof: the information in a CA profile
may exceed the optimal size of one segment.
RDR <https://redmine.named-data.net/projects/ndn-tlv/wiki/RDR> metadata has
a segment component for the same reason.
2. sec 2.1.2 yes I am considering RSA OAEP, the main reason for using RSA
> instead of the session key (e.g., ECDH) is the round trip -- ECDH requires
> an additional round trip to set up the session (which may be too costly for
> an informational query).
>
RSA-OAEP is discouraged for new designs
<https://crypto.stackexchange.com/a/51615>.
NDNCERT, being a security protocol, should prioritize security properties
over bandwidth cost.
ECDH plus AES-GSM would provide better security properties that includes
forward secrecy.
> 3. sec 2.1.4 do we need to consider the evolvability here? given it's an
> application layer protocol and all fields clearly defined.
>
TLV evolvability guidelines should be followed by default, unless there's a
reason to opt out of TLV evolvability guidelines.
> 4. sec 2.2.2 you suggested the type name be email and full name, do you
> expect them to be pre-defined as TLV types? If so, it's really a usability
> issue because different CAs may require totally different information for
> the probe.
>
There are two options.
First option is to include TLV-TYPE number for each item as part of the CA
profile.
The CA profile could say:
<ProbeDefinitions>
<DescriptionEntry>
<DescriptionKey>email</DescriptionKey>
<DescriptionValue>1243</DescriptionValue>
</DescriptionEntry>
<DescriptionEntry>
<DescriptionKey>full name</DescriptionKey>
<DescriptionValue>3186</DescriptionValue>
</DescriptionEntry>
<ProbeDefinitions>
This tells the requester what TLV-TYPE numbers to use.
The requester can then send:
<ProbeParameters>
<1243>david.henson at contoso.com</1243>
<3186>David Henson</3186>
</ProbeParameters>
Second option is to use DescriptionEntry structure in the PROBE Interest
packet.
<ProbeParameters>
<DescriptionEntry>
<DescriptionKey>email</DescriptionKey>
<DescriptionValue>david.henson at contoso.com</DescriptionValue>
</DescriptionEntry>
<DescriptionEntry>
<DescriptionKey>full name</DescriptionKey>
<DescriptionValue>David Henson</DescriptionValue>
</DescriptionEntry>
</ProbeParameters>
Comparing these two options:
- First option makes PROBE Interest packet smaller.
- Second option has less complexity in terms of binary code size.
> 5. sec 2.2.2. regarding multiple available names in PROBE reply, I don't
> think so? given it's not an important feature. And we may not want to
> bother CA to design a function to output multiple namespaces?=
>
ndncert-legacy allows the same email to request one of many name prefixes.
For example, david.henson at contoso.com can request:
/8=ndn/8=guest/8=david.henson%25contoso.com
/8=ndn/8=edu/8=arizona/8=%40GUEST/8=david.henson%25contoso.com
/8=ndn/8=edu/8=ucla/8=%40GUEST/8=david.henson%25contoso.com
and many other names.
Likewise, new NDNCERT should allow multiple names as well referrals to
sub-CAs to appear in the PROBE reply, to preserve this feature of the
existing system.
Yours, Junxiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200303/54e7a75c/attachment-0001.html>
More information about the Nfd-dev
mailing list