-
Notifications
You must be signed in to change notification settings - Fork 13
NDNCERT List Function
NDNCERT list function aims to enable requesters send LIST interest to get all available CA information
certificate requester CA
| /localhost/CA/_LIST |
| --------------------------------> |
| |
| |
| All available CAs |
| <-------------------------------- |
| |
Select one CA |
| |
Standard NDNCERT Protocol Between requester and one child CA
The interest packet name is fixed for now:
Interest: /localhost/CA/_LIST
CA registers the prefix /localhost/CA/LIST when starts. Whenever CA receives the interest packet. CA would collect all the available CAs and generate a json in NDNCERT client configuration format and reply.
The data packet is signed by the CA using the default key of the local KeyChain. The json format of the data packet is the same as the client configuration, which is like:
{
"ca-list":
[
{
"ca-prefix": "/ndn/edu/ucla/CA",
"ca-info": "UCLA's certificate authority, located in BH4805.",
"probe": "Please use your email address to apply a namespace first. UCLA email is preferred.",
"supported-challenges":
[
{ "type": "PIN" },
{ "type": "EMAIL" }
]
},
{
"ca-prefix": "/ndn/edu/ucla/zhiyi/CA",
"ca-info": "Zhiyi's own certificate authority",
"supported-challenges":
[
{ "type": "PIN" }
]
}
]s
}
Two more requirements:
- CA should be able to work as a proxy for other CAs and redirect certificate request to other CAs
- For CAs not running on local node, ndncert should be able to answer the list and/or probe
There are two possible format for a LIST request.
- Without any other additional information. The CA will reply all related CAs.
certificate requester CA
| /ndn/CA/_LIST |
| --------------------------------> |
| |
| |
| All available CA names + schema |
| <-------------------------------- |
| |
Select one CA |
| |
Standard NDNCERT Protocol Between requester and one child CA
- With some additional information. The CA will reply a recommended CA.
certificate requester CA
| /ndn/CA/_LIST |
| --------------------------------> |
| |
| |
| Recommend CA name + schema |
| <-------------------------------- |
| |
Standard NDNCERT Protocol Between requester and recommended CA
Therefore we need to use a new kind of CA item in the configuration to support new features.
The targeted-list and related-ca-list are LIST function related.
-
targeted-listis optional. If any,targeted-listshould indicate which additional info should be appended to get a recommended CA. -
related-ca-list. If a CA want to support LIST function, this field is required.
{
"ca-prefix": "/ndn",
"issuing-freshness": "720",
"validity-period": "360",
"ca-info": "NDN Testbed CA",
"probe": "Use the university/organization name as input",
"targeted-list": "Use your email address (edu preferred) as input",
"related-ca-list":
[
{ "ca-prefix": "/ndn/edu/arizona" },
{ "ca-prefix": "/ndn/edu/memphis" }
],
"supported-challenges":
[
{ "type": "PIN" }
]
},
Whenever the NDNCERT agent receives a request /ndn/CA/_LIST, the agent will answer the interest by collecting all the information a requester needed.
The reply Data packets carry a complete client configuration containing all related CA items.
The format is like:
{
ca-list:
[
{ "ca-prefix": "/ndn/edu/arizona" },
{ "ca-prefix": "/ndn/edu/memphis" }
]
trust-schema: "/ndn/CA/name/of/trustschema"
}