[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Davide Pesavento davidepesa at gmail.com
Sun Jan 10 12:25:00 PST 2021 

On Fri, Jan 8, 2021 at 7:43 PM Junxiao Shi via Nfd-dev
<nfd-dev at lists.cs.ucla.edu> wrote:
>
> Hi Zhiyi
>
> Thanks for finishing the deployment, but you could have announced it earlier.
>
> I found three problems so far.
> These problems are relevant to the latest protocol revision:
> https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-0.3/46700d99c67dc94d13d26f838e4594f1f66d7c76
>
> Wrong naming convention
> The protocol requires the version and segment component to use 2019 naming convention: the terminology section links to TR-0022 rev2.
> However, the RDR server is returning a version number in 2014 naming convention.
> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata | ndn-dissect
> 6 (Data) (size: 179)
>   7 (Name) (size: 40)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
>     8 (GenericNameComponent) (size: 2) [[CA]]
>     8 (GenericNameComponent) (size: 4) [[INFO]]
>     32 (KeywordNameComponent) (size: 8) [[metadata]]
>     8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E4%90%7C%E1]]
>     8 (GenericNameComponent) (size: 2) [[%00%00]]
>   20 (MetaInfo) (size: 3)
>     25 (FreshnessPeriod) (size: 1) [[%0A]]
>   21 (Content) (size: 28)
>     7 (Name) (size: 26)
>       8 (GenericNameComponent) (size: 3) [[ndn]]
>       8 (GenericNameComponent) (size: 2) [[CA]]
>       8 (GenericNameComponent) (size: 4) [[INFO]]
>       8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
>   22 (SignatureInfo) (size: 27)
>     27 (SignatureType) (size: 1) [[%03]]
>     28 (KeyLocator) (size: 22)
>       7 (Name) (size: 20)
>         8 (GenericNameComponent) (size: 3) [[ndn]]
>         8 (GenericNameComponent) (size: 3) [[KEY]]
>         8 (GenericNameComponent) (size: 8) [[e%9D%7F%A5%C5%81%10%7D]]
>   23 (SignatureValue) (size: 71)
>     48 (RESERVED_1) (size: 69)
>       2 (ParametersSha256DigestComponent) (size: 32) [[%02%9Cy%D6%3A%D3%B1%03%DC%B8%95%12%F6%3C%8A%85%B2%D7%BB%E2l%2B%B6%00%1A%BA%E8N%5B%D5%17%8D]]
>       2 (ParametersSha256DigestComponent) (size: 33) [[%00%81%82%EB%A5%B2%C1%F50t%8B%B5%07%1E%05%E7%F5%80%1E%2C%EB%EF%3C%9E%5B%D8%80%2C_%92%F8%CC%18]]
>
> FinalBlockId field missing in CA profile
> The protocol requires that the CA profile is versioned and segmented, and must be compatible with RDR protocol.
> This requirement implies that the last segment of the CA profile must carry a FinalBlockId field that contains a value equaling the last component.
> However, the CA profile packet does not have this field.

While I agree that including FinalBlockId would be preferable, I don't
remember this being a hard requirement. Where does the spec say that
FinalBlockId is mandatory?

> $ ndnpeek /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect | head
> 6 (Data) (size: 769)
>   7 (Name) (size: 30)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
>     8 (GenericNameComponent) (size: 2) [[CA]]
>     8 (GenericNameComponent) (size: 4) [[INFO]]
>     8 (GenericNameComponent) (size: 9) [[%FD%00%00%01v%E3%FB%F2%3B]]
>     8 (GenericNameComponent) (size: 2) [[%00%00]]
>   20 (MetaInfo) (size: 4)
>     25 (FreshnessPeriod) (size: 2) [[%03%E8]]
>   21 (Content) (size: 625)
>
> Inconsistency in ca-prefix
> In the protocol, section 2.1.2 gives this example:
> T:Content, L, V:
>   T:ca-prefix, L, V:"/ndn/CA"
>   T:ca-info, L, V:"NDN Testbed CA"
>
> However, the ca-prefix field in the retrieved CA profile lacks the "/CA" component.
> $ ndnpeek -p /ndn/CA/INFO/%FD%00%00%01v%E3%FB%F2%3B/%00%00 | ndn-dissect | head
> 129 (APP_TAG_1) (size: 7)
>   7 (Name) (size: 5)
>     8 (GenericNameComponent) (size: 3) [[ndn]]
> 131 (APP_TAG_1) (size: 22) [[NDN%20Trust%20Anchor%3A%20%2Fndn]]
> 133 (APP_TAG_1) (size: 5) [[email]]
> 139 (APP_TAG_1) (size: 4) [[%00%13%C6%80]]
> 137 (APP_TAG_1) (size: 575)
>   6 (Data) (size: 571)
>     7 (Name) (size: 36)
>       8 (GenericNameComponent) (size: 3) [[ndn]]
>
> However, this is probably an error in the protocol write-up.
> If ca-prefix is supposed to contain the "CA" component, the packet names such as /<CA-prefix>/CA/NEW/<ParametersSha256Digest> would have two "CA" components.
> If this is the case, please update the example in the protocol write-up.

I guess a related question is whether "CA" is considered a well-known
name component used by the NDNCERT protocol and therefore used by all
instances (and if so, why not "ndncert" instead of "CA"?), or if it's
just a deployment/configuration decision that could differ per site.

>
> Yours, Junxiao
>
> On Fri, Jan 8, 2021 at 5:25 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>
>> External Email
>>
>> Hi Junxiao,
>>
>> Yeah. It has been running and it supports both PIN code challenge and email challenge.
>>
>> I just applied a cert on my laptop (MacOS) from Suns server.
>> Since now we support RDR discovery and fetch of CA profile, so we don't need to pre-config the client. Instead, in the step 2, type in the CA name that you want to contact, and in step 2, check the certificate information (the one shown below is a valid cert).
>>
>> ➜  ~ ndncert-client
>> ***************************************
>> Step 1: CA SELECTION
>> > Index: 0
>> >> CA prefix:/example
>> >> Introduction: An example NDNCERT CA
>> Please type in the CA's index that you want to apply or type in NONE if your expected CA is not in the list:
>> none
>>
>> ***************************************
>> Step 2: ADD NEW CA
>> Please type in the CA's Name:
>> /ndn
>>
>> ***************************************
>> Step 2: Will use a new trust anchor, please double check the identity info:
>> > New CA name: /ndn
>> > This trust anchor information is signed by: Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
>> > The certificate: > The certificate: Certificate name:
>>   /ndn/KEY/e%9D%7F%A5%C5%81%10%7D/ndn/%FD%00%00%01%60qJQ%9B
>> Validity:
>>   NotBefore: 20171220T001939
>>   NotAfter: 20201231T235959
>> Additional Description:
>>   fullname: NDN Testbed Root
>> Public key bits:
>>   MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA
>>   AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////
>>   ///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd
>>   NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5
>>   RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA
>>   //////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABAUIdqatSflni6u9XO2ZSmBA
>>   +MjDwkx2RiPtCCLsm4oKVn2Jyfa/yOSgZseGqnTEdbN1rDWvlIgAmxI0MUXVM1g=
>> Signature Information:
>>   Signature Type: SignatureSha256WithEcdsa
>>   Key Locator: Self-Signed Name=/ndn/KEY/e%9D%7F%A5%C5%81%10%7D
>>
>> Do you trust the information? Type in YES or NO
>> yes
>> You answered YES: new CA /ndn will be used
>>
>> ***************************************
>> Step 3: Do you know your identity name to be certified by CA /ndn already? Type in YES or NO
>> no
>> You answered NO
>>
>> ***************************************
>> Step 4: Please provide information for name assignment
>> Please input: email
>> zhangzhiyi1919 at gmail.com
>> Got it. This is what you've provided:
>> email : zhangzhiyi1919 at gmail.com
>>
>> ***************************************
>> Step 5: You can either select one of the following names suggested by the CA:
>> > Index: 0
>> >> Suggested name: /ndn/zhangzhiyi1919%40gmail.com
>> >> Corresponding Max sufiix length: 2
>>
>> Or choose another trusted CA suggested by the CA:
>> Please type in the index of your choice:
>> 0
>> You selected name: /ndn/zhangzhiyi1919%40gmail.com
>> Enter Suffix if you would like one (Enter to skip):
>>
>> ***************************************
>> Step 6: Please type in your expected validity period of your certificate. Type the number of hours (168 for week, 730 for month, 8760 for year). The CA may reject your application if your expected period is too long.
>> 100
>> The validity period of your certificate will be: 100 hours
>>
>> ***************************************
>> Step 7: CHALLENGE SELECTION
>> > Index: 0
>> >> Challenge:email
>> > Index: 1
>> >> Challenge:pin
>> Please type in the challenge index that you want to perform:
>> 0
>> The challenge has been selected: email
>>
>> ***************************************
>> Step 8: Please provide parameters used for Identity Verification Challenge
>> Please input your email address
>> zhangzhiyi1919 at gmail.com
>> Got it. This is what you've provided:
>> email : zhangzhiyi1919 at gmail.com
>>
>> ***************************************
>> Step 8: Please provide parameters used for Identity Verification Challenge
>> Please input your verification code
>> 537720
>> Got it. This is what you've provided:
>> code : 537720
>> Certificate has already been issued, downloading certificate...
>>
>> ***************************************
>> Step 8: DONE
>> Certificate with Name: /ndn/zhangzhiyi1919%40gmail.com/KEY/%9B%93%17L%81%11%7C%AE/NDNCERT/725316137953299380has already been installed to your local keychain
>> Exit now%
>>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev

More information about the Nfd-dev mailing list