[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today
Junxiao Shi
shijunxiao at email.arizona.edu
Thu Feb 18 17:56:10 PST 2021
Hi Zhiyi
>> Missing prefix registration of issued certificate
>> Currently, it's impossible to retrieve an issued certificate unless the
>> requester is directly connected to the CA host.
>> To solve this issue, the CA needs to perform a prefix registration for
>> each certificate, and use Origin=0x41 in the registration. This would cause
>> local NLSR to initiate a routing announcement on each certificate name, so
>> that the certificate is reachable from anywhere on the network.
>> This prefix registration should be deleted when the certificate falls out
>> of CA's issued certificate cache, which also withdraws the routing
>> announcement.
>>
>
> I think this is not an issue given the requester will directly contact the
> CA?
> After fetching the certificate, the requester should take responsibility
> to make his certificate available to the network.
>
No, you should not assume a direct IP connection. "The requester will
directly contact the CA" should mean an Interest sent directly to the CA's
name prefix, not a direct IP connection. In NDN we think about names, not
host addresses.
The CA profile packet should contain all the information needed to complete
a certificate issuance procedure, and "IP address of the CA" is not in the
CA profile.
Case A: an end host could be IPv6-only but *suns* is IPv4-only, so that
it's impossible to establish a direct connection. The end host would have
to connect to udp6://ndnhub.ipv6.lip6.fr that is the only IPv6-enabled
router, and rely on testbed routing to reach your CA.
Case B: a recent measurement indicates that *suns* does not accept packets
from end hosts in Europe. Once again, they'll have to connect to another
testbed router, and rely on testbed routing to reach your CA.
https://atlas.ripe.net/measurements/29136922/#probes
Case C: the requester could be on a web page using QUIC transport, and
relies on a QUIC-to-NDN gateway to reach the testbed.
Yours, Junxiao
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210218/adb1f7fd/attachment.html>
More information about the Nfd-dev
mailing list