Bug #2407
closed
Local certificate is not published
Added by Yanbiao Li almost 10 years ago.
Updated over 7 years ago.
Description
After a proper trust model is configured in localhop_security for remote registration, the remote hub needs to fetch the certificate from the requester to verify the signature. But it fails with error "can not fetch cert".
According to the traffic captured by ndndump, the remote hub sent out the interest for certificate, but the requester didn't answer it.
A temporary solution:
Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.
- Subject changed from Remote hub can not fetch the certificate to verify remote registrations to Local certificate is not published
- Category set to RIB
- Status changed from New to In Progress
- Assignee set to Yanbiao Li
- Target version set to v0.3
Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.
- Related to Feature #2181: Disallow unsolicited Data from local apps added
FYI: #2201 uses repo-ng
on laptops to serve certificates.
Hmm... I would actually consider running local ndns server.. The problem is that we are getting extra dependencies, which require extensive documentation.
- Target version changed from v0.3 to v0.4
Long-term solution is to use PIB service that will publish all local certificates. Right now, we need a short-term solution to fix the problem.
PIB service is completed in #3018.
We just need to update remote registration documentation and prompt user to use PIB service on end hosts.
- Status changed from In Progress to New
20150803 conference call confirms that the "temporary solution" is no longer necessary.
@Yanbiao will do a manual test, and update documentation together with #2413.
NFD devguide update in nfd-docs:commit:5897967cb62c37c7c80859f84a3e797cb36d27a1 as part of #3211 and #2413 does not include sufficient information about how to deploy PIB service on the end host.
This part is still needed.
has the feature key-chain been merged?
Currently, I have two options:
1) write some code in the automatic prefix propagation to publish certificates into the PIB.
2) write a small tool to publish certificates into the PIB.
I guess both above options are just temporal solutions. As this issue is not so urgent (If it is, I can pick up one option to work with), I prefer to wait the feature key-chain merged.
PIB service is part of ndn-tools, which is already merged.
This issue only needs documentation update on how to use PIB service to publish end host's certificates; there's no coding.
PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.
Currently, if you just want to test whether PIB works in the auto prefix propagation scenario, we have two options I mentioned in note-8. But both are temporal solutions that will be removed once the feature key-chain is merged.
For the dev guide, I think it should completely reflect what I did in the code. As I did not the write the code to publish certificates, I did not discuss the process in detail in the dev guide.
PIB service works now, but it does not supply any command line option to publish certificates. The feature of publishing certificates automatically will be available after the feature key-chain is merged.
Exactly which feature of that branch is needed?
As I understand, PIB service should automatically find all certificates in current user's PIB and publish them.
If there is a blocking feature, make this issue blocked by that feature.
At 20151020 conference call, @Yingdi Yu reveals that the problem is that today's PIB used by applications does not interact with PIB service, so that PIB service would not publish certificates created by an application at runtime.
After #1794 (would be part of feature-keychain branch), the PIB used by application would tell PIB service to publish certificates.
- Target version changed from v0.4 to v0.5
- Status changed from New to Duplicate
Before sending out remote registration command, just put the data of certificate of the key that signs this command on the face. Thus, the certificate will be cached in CS to answer the interest of certificate.
This is not a valid solution because CS no longer accepts unsolicited Data.
The solution of the original problem is #3891 #3892.
- Is duplicate of Feature #3892: Integrate publishing of KeyBundle into Face::setInterestFilter added
Also available in: Atom
PDF