Project

General

Profile

Actions

Feature #1483

closed

Enable directory type of trust-anchor in ValidatorConfig

Added by Yingdi Yu over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
04/14/2014
Due date:
% Done:

100%

Estimated time:

Description

In some cases, it would be undesirable to add trust-anchor section for each trusted-certificate.
Therefore, it would be useful to specify a trust anchor directory and load trusted certificates from there.

trust-anchor
{
  type dir
  dir /usr/local/ndn/keys
  refresh 10s
}

The type property of such a trust-anchor should be dir.
It should also have a dir property whose value is an absolute path to the directory.
It may also have an optional property refresh to indicate how frequently the certificate should be refreshed (i.e., reloaded from the directory).
The refresh value must be a positive integer followed by a character as unit indicator such as (10s for 10 seconds)

Actions #1

Updated by Alex Afanasyev over 10 years ago

There is a question here. Should validator look into this directory every time it does validation or is it a one-time task at the application start? Or should it be provided with a call to reload settings?

Actions #2

Updated by Yingdi Yu over 10 years ago

I would like to leave the decision to users by providing a property refresh

trust-anchor
{
  type dir
  dir /usr/local/ndn/keys
  refresh 10
}

If the value of refresh is positive, then Validator will periodically reload trust anchors.
And the value is the time to wait (in seconds) for next reload.

If the value of refresh is negative, then Validator will load trust anchors only when it is created.

If the value of refresh is 0, then we need to set up some watcher on the directory to detect any changes... (I am not sure how to do this)

Actions #3

Updated by Alex Afanasyev over 10 years ago

We did watcher implementation, but it requires (in order to be easily platform independent) QT :( I would not have it in the library at all.

I would say refresh should be either positive time unit (I prefer it to be like 1 hour, 20 seconds, etc. I think there is a method for that somewhere) to do periodic refresh. If 0, then no refresh and use needs to do something. (We just need to provide a method to do manual refresh.)

Actions #4

Updated by Yingdi Yu over 10 years ago

  • Description updated (diff)

Agree. We can just make refresh optional. If it is not specified, then no periodical refreshing.

Actions #5

Updated by Yingdi Yu over 10 years ago

  • Status changed from New to Code review
Actions #6

Updated by Yingdi Yu over 10 years ago

  • Category set to Security
  • Target version set to v0.2
Actions #7

Updated by Alex Afanasyev over 10 years ago

  • Status changed from Code review to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF