[Nfd-dev] [EXT]Re: NDN Testbed Root certificate not published

[Junxiao Shi]

Hi Lixia
It's great to get your answer, instead of telling me to shut up.

The root certificate does not need to be maintained. It lasts for several
years.
Current and historical root certificates can be seen here:
https://named-data.net/ndn-testbed/

Unretrievable root/site certificates will hinder the adoption of *certificate
bundle*.

For replication, I proposed a manual replication method, and it was
approved on 20160630 NFD call. However, it's still not deployed.
https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html

Yours, Junxiao

On Sat, May 2, 2020 at 11:48 AM Lixia Zhang <lixia at cs.ucla.edu> wrote:

> *External Email*
> yes I believe the root cert should be published, and should be replicated
> in the repo of all testbed routers.
>
> I think the question really is who is responsible for maintaining root
> cert (I do not know the current practice, but let me find out)
>
> Lixia
>
> On May 2, 2020, at 8:31 AM, Junxiao Shi via Nfd-dev <
> nfd-dev at lists.cs.ucla.edu> wrote:
>
> Dear folks
>
> I wonder whether the testbed root certificate should be published over NDN?
> Which node(s) are responsible for publishing this certificate?
>
> Yours, Junxiao
>
> ---------- Forwarded message ---------
> From: Junxiao Shi <shijunxiao at email.arizona.edu>
> Date: Sat, May 2, 2020 at 11:30 AM
> Subject: Re: NDN Testbed Root certificate not published
> To: <operators at lists.named-data.net> <operators at lists.named-data.net>
>
>
> Hi NDNOPS
>
> I notice that the "NDN Testbed Root" certificate cannot be retrieved over
> NDN.
>
> From https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt I can
> see:
> Certificate name:
> /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>
> However, I cannot retrieve the certificate over NDN.
> To rule out potential connectivity problems, I'm running the commands on
> Arizona router.
>
> shijunxiao at hobo:~$ ndnpeek -V
> ndnpeek 0.7-1-g7d14815
> shijunxiao at hobo:~$ ndnpeek -P
> /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
> shijunxiao at hobo:~$ echo $?
> 3
>
> The second command sets CanBePrefix flag with -P. There's no response to
> this Interest.
> ndnpeek exit code is 3. In ndnpeek 0.7, this means InterestLifetime has
> timed out.
>
>
> Although root CA certificate retrieval is not a prerequisite of verifying
> packets, I still think the root certificate should be available over NDN.
>
> Yours, Junxiao
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200502/c7940589/attachment-0001.html>