[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Zhiyi Zhang zhiyi at cs.ucla.edu
Sat Jan 9 19:24:16 PST 2021 

Hi Junxiao,

Thanks for the quick response.

On Fri, Jan 8, 2021 at 4:43 PM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Zhiyi
>
> Thanks for finishing the deployment, but you could have announced it
> earlier.
>
> I found three problems so far.
> These problems are relevant to the latest protocol revision:
>
> https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-0.3/46700d99c67dc94d13d26f838e4594f1f66d7c76
>
> Wrong naming convention
> The protocol requires the version and segment component to use 2019 naming
> convention: the terminology section links to TR-0022 rev2.
> However, the RDR server is returning a version number in 2014 naming
> convention.
> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata | ndn-dissect
> 6 (Data) (size: 179)
>   7 (Name) (size: 40)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
>     8 (GenericNameComponent) (size: 2) [[CA]]
>     8 (GenericNameComponent) (size: 4) [[INFO]]
>     32 (KeywordNameComponent) (size: 8) [[metadata]]
>     8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E4%90%7C%E1]]
>     8 (GenericNameComponent) (size: 2) [[%00%00]]
>   20 (MetaInfo) (size: 3)
>     25 (FreshnessPeriod) (size: 1) [[%0A]]
>   21 (Content) (size: 28)
>     7 (Name) (size: 26)
>       8 (GenericNameComponent) (size: 3) [[ndn]]
>       8 (GenericNameComponent) (size: 2) [[CA]]
>       8 (GenericNameComponent) (size: 4) [[INFO]]
>       8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
>   22 (SignatureInfo) (size: 27)
>     27 (SignatureType) (size: 1) [[%03]]
>     28 (KeyLocator) (size: 22)
>       7 (Name) (size: 20)
>         8 (GenericNameComponent) (size: 3) [[ndn]]
>         8 (GenericNameComponent) (size: 3) [[KEY]]
>         8 (GenericNameComponent) (size: 8) [[e%9D%7F%A5%C5%81%10%7D]]
>   23 (SignatureValue) (size: 71)
>     48 (RESERVED_1) (size: 69)
>       2 (ParametersSha256DigestComponent) (size: 32)
> [[%02%9Cy%D6%3A%D3%B1%03%DC%B8%95%12%F6%3C%8A%85%B2%D7%BB%E2l%2B%B6%00%1A%BA%E8N%5B%D5%17%8D]]
>       2 (ParametersSha256DigestComponent) (size: 33)
> [[%00%81%82%EB%A5%B2%C1%F50t%8B%B5%07%1E%05%E7%F5%80%1E%2C%EB%EF%3C%9E%5B%D8%80%2C_%92%F8%CC%18]]
>

Oh, we didn't notice there is a new version for RDR.
Maybe this reflects we also need to update the online doc (I remembered we
follow the spec on Redmine).
Will fix this.


>
>
> FinalBlockId field missing in CA profile
> The protocol requires that the CA profile is versioned and segmented, and
> must be compatible with RDR protocol.
> This requirement implies that the last segment of the CA profile must
> carry a FinalBlockId field that contains a value equaling the last
> component.
> However, the CA profile packet does not have this field.
> $ ndnpeek /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect |
> head
> 6 (Data) (size: 769)
>   7 (Name) (size: 30)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
>     8 (GenericNameComponent) (size: 2) [[CA]]
>     8 (GenericNameComponent) (size: 4) [[INFO]]
>     8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
>     8 (GenericNameComponent) (size: 2) [[%00%00]]
>   20 (MetaInfo) (size: 4)
>     25 (FreshnessPeriod) (size: 2) [[%03%E8]]
>   21 (Content) (size: 625)
>

Right.


>
> Inconsistency in ca-prefix
> In the protocol, section 2.1.2 gives this example:
> T:Content, L, V:
>   T:ca-prefix, L, V:"/ndn/CA"
>   T:ca-info, L, V:"NDN Testbed CA"
>
> However, the ca-prefix field in the retrieved CA profile lacks the "/CA"
> component.
> $ ndnpeek -p /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect |
> head
> 129 (APP_TAG_1) (size: 7)
>   7 (Name) (size: 5)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
> 131 (APP_TAG_1) (size: 22) [[NDN%20Trust%20Anchor%3A%20%2Fndn]]
> 133 (APP_TAG_1) (size: 5) [[email]]
> 139 (APP_TAG_1) (size: 4) [[%00%13%C6%80]]
> 137 (APP_TAG_1) (size: 575)
>   6 (Data) (size: 571)
>     7 (Name) (size: 36)
>       8 (GenericNameComponent) (size: 3) [[ndn]]
>
> However, this is probably an error in the protocol write-up.
> If ca-prefix is supposed to contain the "CA" component, the packet names
> such as /<CA-prefix>/CA/NEW/<ParametersSha256Digest> would have two "CA"
> components.
> If this is the case, please update the example in the protocol write-up.
>

Yeah. The ca-prefix should not contain CA component. CA is added by the
NDNCERT protocol.
The example in the spec needs to be fixed.

Best,
Zhiyi


>
> Yours, Junxiao
>
> On Fri, Jan 8, 2021 at 5:25 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>
>> *External Email*
>> Hi Junxiao,
>>
>> Yeah. It has been running and it supports both PIN code challenge and
>> email challenge.
>>
>> I just applied a cert on my laptop (MacOS) from Suns server.
>> Since now we support RDR discovery and fetch of CA profile, so we don't
>> need to pre-config the client. Instead, in the step 2, type in the CA name
>> that you want to contact, and in step 2, check the certificate information
>> (the one shown below is a valid cert).
>>
>> ➜  ~ ndncert-client
>> ***************************************
>> Step 1: CA SELECTION
>> > Index: 0
>> >> CA prefix:/example
>> >> Introduction: An example NDNCERT CA
>> Please type in the CA's index that you want to apply or type in NONE if
>> your expected CA is not in the list:
>> none
>>
>> ***************************************
>> Step 2: ADD NEW CA
>> Please type in the CA's Name:
>> /ndn
>>
>> ***************************************
>> Step 2: Will use a new trust anchor, please double check the identity
>> info:
>> > New CA name: /ndn
>> > This trust anchor information is signed by:
>> Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
>> > The certificate: > The certificate: Certificate name:
>>   /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>> Validity:
>>   NotBefore: 20171220T001939
>>   NotAfter: 20201231T235959
>> Additional Description:
>>   fullname: NDN Testbed Root
>> Public key bits:
>>   MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA
>>   AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////
>>   ///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd
>>   NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5
>>   RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA
>>   //////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABAUIdqatSflni6u9XO2ZSmBA
>>   +MjDwkx2RiPtCCLsm4oKVn2Jyfa/yOSgZseGqnTEdbN1rDWvlIgAmxI0MUXVM1g=
>> Signature Information:
>>   Signature Type: SignatureSha256WithEcdsa
>>   Key Locator: Self-Signed Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
>>
>> Do you trust the information? Type in YES or NO
>> yes
>> You answered YES: new CA /ndn will be used
>>
>> ***************************************
>> Step 3: Do you know your identity name to be certified by CA /ndn
>> already? Type in YES or NO
>> no
>> You answered NO
>>
>> ***************************************
>> Step 4: Please provide information for name assignment
>> Please input: email
>> zhangzhiyi1919 at gmail.com
>> Got it. This is what you've provided:
>> email : zhangzhiyi1919 at gmail.com
>>
>> ***************************************
>> Step 5: You can either select one of the following names suggested by the
>> CA:
>> > Index: 0
>> >> Suggested name: /ndn/zhangzhiyi1919%40gmail.com
>> >> Corresponding Max sufiix length: 2
>>
>> Or choose another trusted CA suggested by the CA:
>> Please type in the index of your choice:
>> 0
>> You selected name: /ndn/zhangzhiyi1919%40gmail.com
>> Enter Suffix if you would like one (Enter to skip):
>>
>> ***************************************
>> Step 6: Please type in your expected validity period of your certificate.
>> Type the number of hours (168 for week, 730 for month, 8760 for year). The
>> CA may reject your application if your expected period is too long.
>> 100
>> The validity period of your certificate will be: 100 hours
>>
>> ***************************************
>> Step 7: CHALLENGE SELECTION
>> > Index: 0
>> >> Challenge:email
>> > Index: 1
>> >> Challenge:pin
>> Please type in the challenge index that you want to perform:
>> 0
>> The challenge has been selected: email
>>
>> ***************************************
>> Step 8: Please provide parameters used for Identity Verification Challenge
>> Please input your email address
>> zhangzhiyi1919 at gmail.com
>> Got it. This is what you've provided:
>> email : zhangzhiyi1919 at gmail.com
>>
>> ***************************************
>> Step 8: Please provide parameters used for Identity Verification Challenge
>> Please input your verification code
>> 537720
>> Got it. This is what you've provided:
>> code : 537720
>> Certificate has already been issued, downloading certificate...
>>
>> ***************************************
>> Step 8: DONE
>> Certificate with Name: /ndn/zhangzhiyi1919%
>> 40gmail.com/KEY/%9B%93%17L%81%11%7C%AE/NDNCERT/725316137953299380has
>> already been installed to your local keychain
>> Exit now%
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210109/49a734a4/attachment.html>

More information about the Nfd-dev mailing list