[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today
Junxiao Shi
shijunxiao at email.arizona.edu
Fri Jan 8 16:43:12 PST 2021
Hi Zhiyi
Thanks for finishing the deployment, but you could have announced it
earlier.
I found three problems so far.
These problems are relevant to the latest protocol revision:
https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-0.3/46700d99c67dc94d13d26f838e4594f1f66d7c76
Wrong naming convention
The protocol requires the version and segment component to use 2019 naming
convention: the terminology section links to TR-0022 rev2.
However, the RDR server is returning a version number in 2014 naming
convention.
$ ndnpeek -Pf /ndn/CA/INFO/32=metadata | ndn-dissect
6 (Data) (size: 179)
7 (Name) (size: 40)
8 (GenericNameComponent) (size: 3) [[ndn]]
8 (GenericNameComponent) (size: 2) [[CA]]
8 (GenericNameComponent) (size: 4) [[INFO]]
32 (KeywordNameComponent) (size: 8) [[metadata]]
8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E4%90%7C%E1]]
8 (GenericNameComponent) (size: 2) [[%00%00]]
20 (MetaInfo) (size: 3)
25 (FreshnessPeriod) (size: 1) [[%0A]]
21 (Content) (size: 28)
7 (Name) (size: 26)
8 (GenericNameComponent) (size: 3) [[ndn]]
8 (GenericNameComponent) (size: 2) [[CA]]
8 (GenericNameComponent) (size: 4) [[INFO]]
8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
22 (SignatureInfo) (size: 27)
27 (SignatureType) (size: 1) [[%03]]
28 (KeyLocator) (size: 22)
7 (Name) (size: 20)
8 (GenericNameComponent) (size: 3) [[ndn]]
8 (GenericNameComponent) (size: 3) [[KEY]]
8 (GenericNameComponent) (size: 8) [[e%9D%7F%A5%C5%81%10%7D]]
23 (SignatureValue) (size: 71)
48 (RESERVED_1) (size: 69)
2 (ParametersSha256DigestComponent) (size: 32)
[[%02%9Cy%D6%3A%D3%B1%03%DC%B8%95%12%F6%3C%8A%85%B2%D7%BB%E2l%2B%B6%00%1A%BA%E8N%5B%D5%17%8D]]
2 (ParametersSha256DigestComponent) (size: 33)
[[%00%81%82%EB%A5%B2%C1%F50t%8B%B5%07%1E%05%E7%F5%80%1E%2C%EB%EF%3C%9E%5B%D8%80%2C_%92%F8%CC%18]]
FinalBlockId field missing in CA profile
The protocol requires that the CA profile is versioned and segmented, and
must be compatible with RDR protocol.
This requirement implies that the last segment of the CA profile must carry
a FinalBlockId field that contains a value equaling the last component.
However, the CA profile packet does not have this field.
$ ndnpeek /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect | head
6 (Data) (size: 769)
7 (Name) (size: 30)
8 (GenericNameComponent) (size: 3) [[ndn]]
8 (GenericNameComponent) (size: 2) [[CA]]
8 (GenericNameComponent) (size: 4) [[INFO]]
8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
8 (GenericNameComponent) (size: 2) [[%00%00]]
20 (MetaInfo) (size: 4)
25 (FreshnessPeriod) (size: 2) [[%03%E8]]
21 (Content) (size: 625)
Inconsistency in ca-prefix
In the protocol, section 2.1.2 gives this example:
T:Content, L, V:
T:ca-prefix, L, V:"/ndn/CA"
T:ca-info, L, V:"NDN Testbed CA"
However, the ca-prefix field in the retrieved CA profile lacks the "/CA"
component.
$ ndnpeek -p /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect |
head
129 (APP_TAG_1) (size: 7)
7 (Name) (size: 5)
8 (GenericNameComponent) (size: 3) [[ndn]]
131 (APP_TAG_1) (size: 22) [[NDN%20Trust%20Anchor%3A%20%2Fndn]]
133 (APP_TAG_1) (size: 5) [[email]]
139 (APP_TAG_1) (size: 4) [[%00%13%C6%80]]
137 (APP_TAG_1) (size: 575)
6 (Data) (size: 571)
7 (Name) (size: 36)
8 (GenericNameComponent) (size: 3) [[ndn]]
However, this is probably an error in the protocol write-up.
If ca-prefix is supposed to contain the "CA" component, the packet names
such as /<CA-prefix>/CA/NEW/<ParametersSha256Digest> would have two "CA"
components.
If this is the case, please update the example in the protocol write-up.
Yours, Junxiao
On Fri, Jan 8, 2021 at 5:25 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
> *External Email*
> Hi Junxiao,
>
> Yeah. It has been running and it supports both PIN code challenge and
> email challenge.
>
> I just applied a cert on my laptop (MacOS) from Suns server.
> Since now we support RDR discovery and fetch of CA profile, so we don't
> need to pre-config the client. Instead, in the step 2, type in the CA name
> that you want to contact, and in step 2, check the certificate information
> (the one shown below is a valid cert).
>
> ➜ ~ ndncert-client
> ***************************************
> Step 1: CA SELECTION
> > Index: 0
> >> CA prefix:/example
> >> Introduction: An example NDNCERT CA
> Please type in the CA's index that you want to apply or type in NONE if
> your expected CA is not in the list:
> none
>
> ***************************************
> Step 2: ADD NEW CA
> Please type in the CA's Name:
> /ndn
>
> ***************************************
> Step 2: Will use a new trust anchor, please double check the identity info:
> > New CA name: /ndn
> > This trust anchor information is signed by:
> Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
> > The certificate: > The certificate: Certificate name:
> /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
> Validity:
> NotBefore: 20171220T001939
> NotAfter: 20201231T235959
> Additional Description:
> fullname: NDN Testbed Root
> Public key bits:
> MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA
> AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////
> ///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd
> NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5
> RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA
> //////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABAUIdqatSflni6u9XO2ZSmBA
> +MjDwkx2RiPtCCLsm4oKVn2Jyfa/yOSgZseGqnTEdbN1rDWvlIgAmxI0MUXVM1g=
> Signature Information:
> Signature Type: SignatureSha256WithEcdsa
> Key Locator: Self-Signed Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
>
> Do you trust the information? Type in YES or NO
> yes
> You answered YES: new CA /ndn will be used
>
> ***************************************
> Step 3: Do you know your identity name to be certified by CA /ndn already?
> Type in YES or NO
> no
> You answered NO
>
> ***************************************
> Step 4: Please provide information for name assignment
> Please input: email
> zhangzhiyi1919 at gmail.com
> Got it. This is what you've provided:
> email : zhangzhiyi1919 at gmail.com
>
> ***************************************
> Step 5: You can either select one of the following names suggested by the
> CA:
> > Index: 0
> >> Suggested name: /ndn/zhangzhiyi1919%40gmail.com
> >> Corresponding Max sufiix length: 2
>
> Or choose another trusted CA suggested by the CA:
> Please type in the index of your choice:
> 0
> You selected name: /ndn/zhangzhiyi1919%40gmail.com
> Enter Suffix if you would like one (Enter to skip):
>
> ***************************************
> Step 6: Please type in your expected validity period of your certificate.
> Type the number of hours (168 for week, 730 for month, 8760 for year). The
> CA may reject your application if your expected period is too long.
> 100
> The validity period of your certificate will be: 100 hours
>
> ***************************************
> Step 7: CHALLENGE SELECTION
> > Index: 0
> >> Challenge:email
> > Index: 1
> >> Challenge:pin
> Please type in the challenge index that you want to perform:
> 0
> The challenge has been selected: email
>
> ***************************************
> Step 8: Please provide parameters used for Identity Verification Challenge
> Please input your email address
> zhangzhiyi1919 at gmail.com
> Got it. This is what you've provided:
> email : zhangzhiyi1919 at gmail.com
>
> ***************************************
> Step 8: Please provide parameters used for Identity Verification Challenge
> Please input your verification code
> 537720
> Got it. This is what you've provided:
> code : 537720
> Certificate has already been issued, downloading certificate...
>
> ***************************************
> Step 8: DONE
> Certificate with Name: /ndn/zhangzhiyi1919%
> 40gmail.com/KEY/%9B%93%17L%81%11%7C%AE/NDNCERT/725316137953299380has
> already been installed to your local keychain
> Exit now%
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210108/cda06623/attachment.html>
More information about the Nfd-dev
mailing list