Bug #2407
closed
Local certificate is not published
0%
Description
After a proper trust model is configured in localhop_security for remote registration, the remote hub needs to fetch the certificate from the requester to verify the signature. But it fails with error "can not fetch cert".
According to the traffic captured by ndndump, the remote hub sent out the interest for certificate, but the requester didn't answer it.
A temporary solution:
Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.
Updated by Alex Afanasyev about 9 years ago
- Subject changed from Remote hub can not fetch the certificate to verify remote registrations to Local certificate is not published
- Category set to RIB
- Status changed from New to In Progress
- Assignee set to Yanbiao Li
- Target version set to v0.3
Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.
Updated by Junxiao Shi about 9 years ago
- Related to Feature #2181: Disallow unsolicited Data from local apps added
Updated by Junxiao Shi about 9 years ago
FYI: #2201 uses repo-ng on laptops to serve certificates.
Updated by Alex Afanasyev about 9 years ago
Hmm... I would actually consider running local ndns server.. The problem is that we are getting extra dependencies, which require extensive documentation.
Updated by Junxiao Shi over 8 years ago
- Target version changed from v0.3 to v0.4
Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.
PIB service is completed in #3018.
We just need to update remote registration documentation and prompt user to use PIB service on end hosts.
Updated by Junxiao Shi over 8 years ago
- Status changed from In Progress to New
20150803 conference call confirms that the "temporary solution" is no longer necessary.
@Yanbiao will do a manual test, and update documentation together with #2413.
Updated by Junxiao Shi over 8 years ago
Updated by Yanbiao Li over 8 years ago
has the feature key-chain been merged?
Currently, I have two options:
1) write some code in the automatic prefix propagation to publish certificates into the PIB.
2) write a small tool to publish certificates into the PIB.
I guess both above options are just temporal solutions. As this issue is not so urgent (If it is, I can pick up one option to work with), I prefer to wait the feature key-chain merged.
Updated by Junxiao Shi over 8 years ago
PIB service is part of ndn-tools, which is already merged.
This issue only needs documentation update on how to use PIB service to publish end host's certificates; there's no coding.
Updated by Yanbiao Li over 8 years ago
PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.
Currently, if you just want to test whether PIB works in the auto prefix propagation scenario, we have two options I mentioned in note-8. But both are temporal solutions that will be removed once the feature key-chain is merged.
For the dev guide, I think it should completely reflect what I did in the code. As I did not the write the code to publish certificates, I did not discuss the process in detail in the dev guide.
Updated by Junxiao Shi over 8 years ago
PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.
Exactly which feature of that branch is needed?
As I understand, PIB service should automatically find all certificates in current user's PIB and publish them.
If there is a blocking feature, make this issue blocked by that feature.
Updated by Junxiao Shi over 8 years ago
- Blocked by Feature #1794: Make KeyChain use PIB Service added
Updated by Junxiao Shi over 8 years ago
At 20151020 conference call, @Yingdi Yu reveals that the problem is that today's PIB used by applications does not interact with PIB service, so that PIB service would not publish certificates created by an application at runtime.
After #1794 (would be part of feature-keychain branch), the PIB used by application would tell PIB service to publish certificates.
Updated by Alex Afanasyev over 8 years ago
- Target version changed from v0.4 to v0.5
Updated by Junxiao Shi almost 7 years ago
- Status changed from New to Duplicate
Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.
This is not a valid solution because CS no longer accepts unsolicited Data.
Updated by Junxiao Shi almost 7 years ago
- Is duplicate of Feature #3892: Integrate publishing of KeyBundle into Face::setInterestFilter added