Feature #1483
closedEnable directory type of trust-anchor in ValidatorConfig
Description
In some cases, it would be undesirable to add trust-anchor section for each trusted-certificate.
Therefore, it would be useful to specify a trust anchor directory and load trusted certificates from there.
trust-anchor
{
type dir
dir /usr/local/ndn/keys
refresh 10s
}
The type
property of such a trust-anchor should be dir
.
It should also have a dir
property whose value is an absolute path to the directory.
It may also have an optional property refresh
to indicate how frequently the certificate should be refreshed (i.e., reloaded from the directory).
The refresh
value must be a positive integer followed by a character as unit indicator such as (10s for 10 seconds)
Updated by Alex Afanasyev over 10 years ago
There is a question here. Should validator look into this directory every time it does validation or is it a one-time task at the application start? Or should it be provided with a call to reload settings?
Updated by Yingdi Yu over 10 years ago
I would like to leave the decision to users by providing a property refresh
trust-anchor
{
type dir
dir /usr/local/ndn/keys
refresh 10
}
If the value of refresh
is positive, then Validator will periodically reload trust anchors.
And the value is the time to wait (in seconds) for next reload.
If the value of refresh
is negative, then Validator will load trust anchors only when it is created.
If the value of refresh
is 0, then we need to set up some watcher on the directory to detect any changes... (I am not sure how to do this)
Updated by Alex Afanasyev over 10 years ago
We did watcher implementation, but it requires (in order to be easily platform independent) QT :( I would not have it in the library at all.
I would say refresh should be either positive time unit (I prefer it to be like 1 hour, 20 seconds, etc. I think there is a method for that somewhere) to do periodic refresh. If 0, then no refresh and use needs to do something. (We just need to provide a method to do manual refresh.)
Updated by Yingdi Yu over 10 years ago
- Description updated (diff)
Agree. We can just make refresh
optional. If it is not specified, then no periodical refreshing.
Updated by Yingdi Yu over 10 years ago
- Category set to Security
- Target version set to v0.2
Updated by Alex Afanasyev over 10 years ago
- Status changed from Code review to Closed
- % Done changed from 0 to 100