Project

General

Profile

Feature #5113

Override certificate name parts in KeyLocator

Added by Junxiao Shi over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
5.00 h

Description

Since #5112, KeyLocator can contain either a key name or a certificate name.
When the validator operates in a network environment that uses a distinct certificate chain than what appears the KeyLocator, it may be necessary to override parts of the certificate name before fetching certificate.

This feature is to introduce an "issuer id override" option in certificate fetcher, configurable through ValidatorConfig.
After specifying this option to <issuer-id>:

  • For KeyLocator name that is a key name /<subject>/KEY/<key-id>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id> CanBePrefix=true.
  • For KeyLocator name that is a certificate name with a different issuer id /<subject>/KEY/<key-id>/<issuer-other>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id> CanBePrefix=true.
  • For KeyLocator name that is a certificate name with the same issuer id /<subject>/KEY/<key-id>/<issuer-id>/<version>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id>/<version> CanBePrefix=false.

Related issues

Blocked by ndn-cxx - Feature #5112: Include certificate name in KeyLocatorNew

Actions
#1

Updated by Junxiao Shi over 1 year ago

Cross-project links:
https://github.com/named-data-iot/ndn-lite/issues/73

python-ndn and NDNts do not yet have trust schema validator, so that this feature isn't needed there.

#2

Updated by Junxiao Shi over 1 year ago

  • Blocked by Feature #5112: Include certificate name in KeyLocator added
#3

Updated by Alex Afanasyev over 1 year ago

  • Tags set to security

Also available in: Atom PDF