-
Notifications
You must be signed in to change notification settings - Fork 13
NDNCERT Protocol 0.3 Renewal Revocation
RENEW is for a requester to renew its certificate with the CA. The Interest and Data format in RENEW are almost identical to NEW except for the packet names. RENEW step works in the same way as in NEW.
Interest format:
| Field | Description |
|---|---|
| Name | /<CA-prefix>/CA/RENEW/<ParameterSha256Digest> |
| ApplicationParameters | TLV format of value as defined in 2.3.2 |
| Can Be Prefix | False |
| Must Be Fresh | True |
| Signature | Signed by the private key whose public key is going to be certified by the CA |
Data format:
| Field | Description |
|---|---|
| Name | /<CA-prefix>/CA/RENEW/<ParameterSha256Digest> |
| Content | TLV format of value as defined in 2.3.2 |
| Signature | Signed by CA's identity key |
Certificate renewal contains two steps: RENEW and CHALLENGE.
Requester CA
| |
|---------RENEW-------->|
|<----------------------|
| |
|-------CHALLENGE------>|
|<----------------------|
From a requester's perspective:
- RENEW. The requester prepares a (new) pair of asymmetric key (e.g., RSA, ECC), use the private key to sign the public key into a self-signed certificate, and start the application by taking RENEW step.
- CHALLENGE. The requester selects one challenge among available challenges offered by the CA and finish the in-band or out-of-band identity verification. Once the challenge is accomplished, the certificate will be issued.
From a CA's perspective:
- RENEW. The CA verifies the self-signed certificate from the requester and collects all the available challenges back to the requester.
- CHALLENGE. According to the challenge selected by the requester, the CA sets up the challenge and verifies
- the requester already owns a certificate issued by the CA or
- the requester's ownership of the identity.
REVOKE is for a requester to revoke its certificate with the CA. The Interest and Data format in REVOKE are almost identical to NEW except for the packet names. REVOKE step works in the same way as in NEW, except it does not return the new certificate name at the end. The CA is responsible to place this certificate to its certificate log.
Certificate revocation can be triggered by
- The CA who has issued the certificate
- The owner of the certificate
- Any one who can prove the ownership of the private key that is corresponding to the public key in the certificate.
Interest format:
| Field | Description |
|---|---|
| Name | /<CA-prefix>/CA/REVOKE/<ParameterSha256Digest> |
| ApplicationParameters | TLV format of value as defined in 2.3.2, replacing cert-request with cert-to-revoke, certificate to be revoked |
| Can Be Prefix | False |
| Must Be Fresh | True |
| Signature | No Signature Required |
Data format:
| Field | Description |
|---|---|
| Name | /<CA-prefix>/CA/RENEW/<ParameterSha256Digest> |
| Content | TLV format of value as defined in 2.3.2 |
| Signature | Signed by CA's identity key |
Certificate revocation contains two steps: REVOKE and CHALLENGE.
Requester CA
| |
|---------REVOKE------->|
|<----------------------|
| |
|-------CHALLENGE------>|
|<----------------------|
From a requester's perspective:
- REVOKE. The requester prepares a (new) pair of asymmetric key (e.g., RSA, ECC), prepares the certificate to be revoked, and start the application by taking REVOKE step.
- CHALLENGE. The requester selects one challenge among available challenges offered by the CA and finish the in-band or out-of-band identity verification. Once the challenge is accomplished, the certificate will be issued.
From a CA's perspective:
- REVOKE. The CA verifies the certificate to revoke is from the requester and collects all the available challenges back to the requester.
- CHALLENGE. According to the challenge selected by the requester, the CA sets up the challenge and verifies
- the requester already the private key of the certificate or
- the requester's ownership of the identity.