[Nfd-dev] [EXT]Re: NDN Testbed Root certificate not published

Lixia Zhang lixia at cs.ucla.edu
Sun May 3 08:00:18 PDT 2020 

> On May 2, 2020, at 8:52 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Hi Lixia
> It's great to get your answer, instead of telling me to shut up.

One is welcome to bring real issues to the talks. 
One should shutup when he/she blocks everyone else and disrupts meeting agendas.

> The root certificate does not need to be maintained. It lasts for several years.
> Current and historical root certificates can be seen here: https://named-data.net/ndn-testbed/ <https://named-data.net/ndn-testbed/>
Even if that is the current practice (perhaps inherited from today's TCP/IP networks practice), it's not the proof of being the right practice.

> Unretrievable root/site certificates will hinder the adoption of certificate bundle.
> 
> For replication, I proposed a manual replication method, and it was approved on 20160630 NFD call. However, it's still not deployed.
> https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html <https://lists.netsec.colostate.edu/mailman/private/operators/2020-May/001430.html>
> 
> Yours, Junxiao
> 
> On Sat, May 2, 2020 at 11:48 AM Lixia Zhang <lixia at cs.ucla.edu <mailto:lixia at cs.ucla.edu>> wrote:
> External Email
> 
> yes I believe the root cert should be published, and should be replicated in the repo of all testbed routers.
> 
> I think the question really is who is responsible for maintaining root cert (I do not know the current practice, but let me find out)
> 
> Lixia
> 
>> On May 2, 2020, at 8:31 AM, Junxiao Shi via Nfd-dev <nfd-dev at lists.cs.ucla.edu <mailto:nfd-dev at lists.cs.ucla.edu>> wrote:
>> 
>> Dear folks
>> 
>> I wonder whether the testbed root certificate should be published over NDN?
>> Which node(s) are responsible for publishing this certificate?
>> 
>> Yours, Junxiao
>> 
>> ---------- Forwarded message ---------
>> From: Junxiao Shi <shijunxiao at email.arizona.edu <mailto:shijunxiao at email.arizona.edu>>
>> Date: Sat, May 2, 2020 at 11:30 AM
>> Subject: Re: NDN Testbed Root certificate not published
>> To: <operators at lists.named-data.net <mailto:operators at lists.named-data.net>> <operators at lists.named-data.net <mailto:operators at lists.named-data.net>>
>> 
>> 
>> Hi NDNOPS
>> 
>> I notice that the "NDN Testbed Root" certificate cannot be retrieved over NDN.
>> 
>> From https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt <https://named-data.net/ndnsec/ndn-testbed-root-v2.ndncert.txt> I can see:
>> Certificate name: /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>> 
>> However, I cannot retrieve the certificate over NDN.
>> To rule out potential connectivity problems, I'm running the commands on Arizona router.
>> 
>> shijunxiao at hobo:~$ ndnpeek -V
>> ndnpeek 0.7-1-g7d14815
>> shijunxiao at hobo:~$ ndnpeek -P /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>> shijunxiao at hobo:~$ echo $?
>> 3
>> 
>> The second command sets CanBePrefix flag with -P. There's no response to this Interest.
>> ndnpeek exit code is 3. In ndnpeek 0.7, this means InterestLifetime has timed out.
>> 
>> 
>> Although root CA certificate retrieval is not a prerequisite of verifying packets, I still think the root certificate should be available over NDN.
>> 
>> Yours, Junxiao
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20200503/6734ebdf/attachment.html>

More information about the Nfd-dev mailing list