[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today
Davide Pesavento
davidepesa at gmail.com
Sun Jan 10 13:55:58 PST 2021
On Sun, Jan 10, 2021 at 3:54 PM Junxiao Shi
<shijunxiao at email.arizona.edu> wrote:
>
> Hi Davide
>
>> >
>> > FinalBlockId field missing in CA profile
>> > The protocol requires that the CA profile is versioned and segmented, and must be compatible with RDR protocol.
>> > This requirement implies that the last segment of the CA profile must carry a FinalBlockId field that contains a value equaling the last component.
>> > However, the CA profile packet does not have this field.
>>
>> While I agree that including FinalBlockId would be preferable, I don't
>> remember this being a hard requirement. Where does the spec say that
>> FinalBlockId is mandatory?
>
>
> The requirement on having FinalBlockId in CA profile packet is not directly specified in NDNCERT 0.3 protocol, but inherited from naming convention and RDR specs. CA profile is a segmented object, and the NDNCERT 0.3 protocol says it must be retrievable using RDR protocol. To order to be retrievable with an RDR-compliant fetcher (e.g. ndncatchunks), the last segment needs to have FinalBlockId.
I don't think so? The description of RDR [1] doesn't mention
FinalBlockId either. The NDN spec recommends it but doesn't require
it. The behavior of a specific implementation is not particularly
relevant here but IIRC ndncatchunks can fetch a segmented object
without FinalBlockId (it will report an error at the end but it will
fetch the object up to the last retrievable segment, i.e. until all
higher-numbered segments in the current window time out).
Again, I do agree that having the FinalBlockId at least in the last
segment is better, but I'm trying to clarify that it's not a hard
requirement, as far as I know.
[1] https://redmine.named-data.net/projects/ndn-tlv/wiki/RDR
>
>>
>> I guess a related question is whether "CA" is considered a well-known
>> name component used by the NDNCERT protocol and therefore used by all
>> instances (and if so, why not "ndncert" instead of "CA"?), or if it's
>> just a deployment/configuration decision that could differ per site.
>>
>
> I'd consider "8=CA" to be a well-known keyword.
This should be clarified in the NDNCERT spec. Moreover, the spec
should say whether "ca-prefix" includes this component or not.
Davide
More information about the Nfd-dev
mailing list