Actions
Feature #5121
openReserve and enforce restriction for /localhost/identity namespace
Start date:
Due date:
% Done:
0%
Estimated time:
Description
De facto, we have reserved /localhost/identity
namespace for special uses: digest256 identity and HMAC "identity". However, these restrictions not actively enforced and may lead to issues.
Several restrictions to consider:
- key generation should fail if the prefix is
/localhost/identity
- validation should fail if the identity type is not handled explicitly
Current state:
$ ndnsec-keygen /localhost/identity/digest-sha256
Bv0BXAdECAlsb2NhbGhvc3QICGlkZW50aXR5CA1kaWdlc3Qtc2hhMjU2CANLRVkI
CE8m2jAVbn8cCARzZWxmCAn9AAABcxWeW1gUCRgBAhkEADbugBVbMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEOlpvgzk4y6eiu6mlY3v9oE+BnCBjhz/cL2GSn3Px
g6jhI9g94fO3zIrGP6Jhu+1GMsexBvY2Z34SepI41AJQkRZkGwEDHDUHMwgJbG9j
YWxob3N0CAhpZGVudGl0eQgNZGlnZXN0LXNoYTI1NggDS0VZCAhPJtowFW5/HP0A
/Sb9AP4PMTk3MDAxMDFUMDAwMDAw/QD/DzIwNDAwNjI4VDE2NTkyNhdGMEQCIFFJ
6j/YQNg6+0Rk0yMk0JguIAb53JJdh7LiTKrxUxgmAiBNVLczrI+PGJTyGEsiJHZk
$ ndnsec-ls-identity -vvv
* /localhost/identity/digest-sha256
+->* /localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C
+->* /localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C/self/%FD%00%00%01s%15%9E%5BX
Certificate name:
/localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C/self/%FD%00%00%01s%15%9E%5BX
Validity:
NotBefore: 19700101T000000
NotAfter: 20400628T165926
Public key bits:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOlpvgzk4y6eiu6mlY3v9oE+BnCBj
hz/cL2GSn3Pxg6jhI9g94fO3zIrGP6Jhu+1GMsexBvY2Z34SepI41AJQkQ==
Signature Information:
Signature Type: SignatureSha256WithEcdsa
Key Locator: Self-Signed Name=/localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C
I also don't see anywhere restriction of /localhost/identity/digest-sha256
certificate fetching. If validator encounters a packet with key locator /localhost/identity/digest-sha256, it still will try to fetch it.
Actions