[Nfd-dev] [EXT]Re: NDN Testbed Root certificate not published
David Oran
daveoran at orandom.net
Sat May 2 10:28:22 PDT 2020
___________________________
iDevice - please excuse typos.
> On May 2, 2020, at 11:53 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
>
>
> Hi Lixia
> It's great to get your answer, instead of telling me to shut up.
>
> The root certificate does not need to be maintained. It lasts for several years.
Unless someone is careless with the associated private key...
> Current and historical root certificates can be seen here: https://named-data.net/ndn-testbed/
>
> Unretrievable root/site certificates will hinder the adoption of certificate bundle.
>
> For replication, I proposed a manual replication method, and it was approved on 20160630 NFD call. However, it's still not deployed.
> https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html
>
> Yours, Junxiao
>
>> On Sat, May 2, 2020 at 11:48 AM Lixia Zhang <lixia at cs.ucla.edu> wrote:
>> External Email
>>
>> yes I believe the root cert should be published, and should be replicated in the repo of all testbed routers.
>>
>> I think the question really is who is responsible for maintaining root cert (I do not know the current practice, but let me find out)
>>
>> Lixia
>>
>>> On May 2, 2020, at 8:31 AM, Junxiao Shi via Nfd-dev <nfd-dev at lists.cs.ucla.edu> wrote:
>>>
>>> Dear folks
>>>
>>> I wonder whether the testbed root certificate should be published over NDN?
>>> Which node(s) are responsible for publishing this certificate?
>>>
>>> Yours, Junxiao
>>>
>>> ---------- Forwarded message ---------
>>> From: Junxiao Shi <shijunxiao at email.arizona.edu>
>>> Date: Sat, May 2, 2020 at 11:30 AM
>>> Subject: Re: NDN Testbed Root certificate not published
>>> To: <operators at lists.named-data.net> <operators at lists.named-data.net>
>>>
>>>
>>> Hi NDNOPS
>>>
>>> I notice that the "NDN Testbed Root" certificate cannot be retrieved over NDN.
>>>
>>> From https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt I can see:
>>> Certificate name: /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>>>
>>> However, I cannot retrieve the certificate over NDN.
>>> To rule out potential connectivity problems, I'm running the commands on Arizona router.
>>>
>>> shijunxiao at hobo:~$ ndnpeek -V
>>> ndnpeek 0.7-1-g7d14815
>>> shijunxiao at hobo:~$ ndnpeek -P /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>>> shijunxiao at hobo:~$ echo $?
>>> 3
>>>
>>> The second command sets CanBePrefix flag with -P. There's no response to this Interest.
>>> ndnpeek exit code is 3. In ndnpeek 0.7, this means InterestLifetime has timed out.
>>>
>>>
>>> Although root CA certificate retrieval is not a prerequisite of verifying packets, I still think the root certificate should be available over NDN.
>>>
>>> Yours, Junxiao
>>>
>>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200502/2a18201a/attachment.html>
More information about the Nfd-dev
mailing list