[Nfd-dev] [EXT]Re: NDN Testbed Root certificate not published

David Oran daveoran at orandom.net
Sat May 2 10:28:22 PDT 2020 


___________________________
iDevice - please excuse typos.

> On May 2, 2020, at 11:53 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> 
> Hi Lixia
> It's great to get your answer, instead of telling me to shut up.
> 
> The root certificate does not need to be maintained. It lasts for several years.
Unless someone is careless with the associated private key...

> Current and historical root certificates can be seen here: https://named-data.net/ndn-testbed/
> 
> Unretrievable root/site certificates will hinder the adoption of certificate bundle.
> 
> For replication, I proposed a manual replication method, and it was approved on 20160630 NFD call. However, it's still not deployed.
> https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html
> 
> Yours, Junxiao
> 
>> On Sat, May 2, 2020 at 11:48 AM Lixia Zhang <lixia at cs.ucla.edu> wrote:
>> External Email
>> 
>> yes I believe the root cert should be published, and should be replicated in the repo of all testbed routers.
>> 
>> I think the question really is who is responsible for maintaining root cert (I do not know the current practice, but let me find out)
>> 
>> Lixia
>> 
>>> On May 2, 2020, at 8:31 AM, Junxiao Shi via Nfd-dev <nfd-dev at lists.cs.ucla.edu> wrote:
>>> 
>>> Dear folks
>>> 
>>> I wonder whether the testbed root certificate should be published over NDN?
>>> Which node(s) are responsible for publishing this certificate?
>>> 
>>> Yours, Junxiao
>>> 
>>> ---------- Forwarded message ---------
>>> From: Junxiao Shi <shijunxiao at email.arizona.edu>
>>> Date: Sat, May 2, 2020 at 11:30 AM
>>> Subject: Re: NDN Testbed Root certificate not published
>>> To: <operators at lists.named-data.net> <operators at lists.named-data.net>
>>> 
>>> 
>>> Hi NDNOPS
>>> 
>>> I notice that the "NDN Testbed Root" certificate cannot be retrieved over NDN.
>>> 
>>> From https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt I can see:
>>> Certificate name: /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>>> 
>>> However, I cannot retrieve the certificate over NDN.
>>> To rule out potential connectivity problems, I'm running the commands on Arizona router.
>>> 
>>> shijunxiao at hobo:~$ ndnpeek -V
>>> ndnpeek 0.7-1-g7d14815
>>> shijunxiao at hobo:~$ ndnpeek -P /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>>> shijunxiao at hobo:~$ echo $?
>>> 3
>>> 
>>> The second command sets CanBePrefix flag with -P. There's no response to this Interest.
>>> ndnpeek exit code is 3. In ndnpeek 0.7, this means InterestLifetime has timed out.
>>> 
>>> 
>>> Although root CA certificate retrieval is not a prerequisite of verifying packets, I still think the root certificate should be available over NDN.
>>> 
>>> Yours, Junxiao
>>> 
>> 
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200502/2a18201a/attachment.html>

More information about the Nfd-dev mailing list