Project

General

Profile

Actions

Bug #2407

closed

Local certificate is not published

Added by Yanbiao Li almost 10 years ago. Updated over 7 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Category:
RIB
Target version:
Start date:
01/23/2015
Due date:
% Done:

0%

Estimated time:

Description

After a proper trust model is configured in localhop_security for remote registration, the remote hub needs to fetch the certificate from the requester to verify the signature. But it fails with error "can not fetch cert".

According to the traffic captured by ndndump, the remote hub sent out the interest for certificate, but the requester didn't answer it.

A temporary solution:

Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.


Related issues 3 (0 open3 closed)

Related to NFD - Feature #2181: Disallow unsolicited Data from local appsClosedJunxiao Shi

Actions
Is duplicate of ndn-cxx - Feature #3892: Integrate publishing of KeyBundle into Face::setInterestFilterAbandonedManika Mittal12/14/2016

Actions
Blocked by ndn-cxx - Feature #1794: Make KeyChain use PIB ServiceRejected

Actions
Actions #1

Updated by Alex Afanasyev almost 10 years ago

  • Subject changed from Remote hub can not fetch the certificate to verify remote registrations to Local certificate is not published
  • Category set to RIB
  • Status changed from New to In Progress
  • Assignee set to Yanbiao Li
  • Target version set to v0.3

Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.

Actions #2

Updated by Junxiao Shi almost 10 years ago

  • Related to Feature #2181: Disallow unsolicited Data from local apps added
Actions #3

Updated by Junxiao Shi almost 10 years ago

FYI: #2201 uses repo-ng on laptops to serve certificates.

Actions #4

Updated by Alex Afanasyev almost 10 years ago

Hmm... I would actually consider running local ndns server.. The problem is that we are getting extra dependencies, which require extensive documentation.

Actions #5

Updated by Junxiao Shi over 9 years ago

  • Target version changed from v0.3 to v0.4

Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.

PIB service is completed in #3018.

We just need to update remote registration documentation and prompt user to use PIB service on end hosts.

Actions #6

Updated by Junxiao Shi over 9 years ago

  • Status changed from In Progress to New

20150803 conference call confirms that the "temporary solution" is no longer necessary.

@Yanbiao will do a manual test, and update documentation together with #2413.

Actions #7

Updated by Junxiao Shi about 9 years ago

NFD devguide update in nfd-docs:commit:5897967cb62c37c7c80859f84a3e797cb36d27a1 as part of #3211 and #2413 does not include sufficient information about how to deploy PIB service on the end host.
This part is still needed.

Actions #8

Updated by Yanbiao Li about 9 years ago

has the feature key-chain been merged?

Currently, I have two options:
1) write some code in the automatic prefix propagation to publish certificates into the PIB.
2) write a small tool to publish certificates into the PIB.

I guess both above options are just temporal solutions. As this issue is not so urgent (If it is, I can pick up one option to work with), I prefer to wait the feature key-chain merged.

Actions #9

Updated by Junxiao Shi about 9 years ago

PIB service is part of ndn-tools, which is already merged.

This issue only needs documentation update on how to use PIB service to publish end host's certificates; there's no coding.

Actions #10

Updated by Yanbiao Li about 9 years ago

PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.

Currently, if you just want to test whether PIB works in the auto prefix propagation scenario, we have two options I mentioned in note-8. But both are temporal solutions that will be removed once the feature key-chain is merged.

For the dev guide, I think it should completely reflect what I did in the code. As I did not the write the code to publish certificates, I did not discuss the process in detail in the dev guide.

Actions #11

Updated by Junxiao Shi about 9 years ago

PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.

Exactly which feature of that branch is needed?
As I understand, PIB service should automatically find all certificates in current user's PIB and publish them.

If there is a blocking feature, make this issue blocked by that feature.

Actions #12

Updated by Junxiao Shi about 9 years ago

Actions #13

Updated by Junxiao Shi about 9 years ago

At 20151020 conference call, @Yingdi Yu reveals that the problem is that today's PIB used by applications does not interact with PIB service, so that PIB service would not publish certificates created by an application at runtime.

After #1794 (would be part of feature-keychain branch), the PIB used by application would tell PIB service to publish certificates.

Actions #14

Updated by Alex Afanasyev about 9 years ago

  • Target version changed from v0.4 to v0.5
Actions #15

Updated by Junxiao Shi over 7 years ago

  • Status changed from New to Duplicate

Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.

This is not a valid solution because CS no longer accepts unsolicited Data.

The solution of the original problem is #3891 #3892.

Actions #16

Updated by Junxiao Shi over 7 years ago

  • Is duplicate of Feature #3892: Integrate publishing of KeyBundle into Face::setInterestFilter added
Actions

Also available in: Atom PDF