Task #5191
open
Bootstrapping, namespace and certificate management
Added by Saurab Dulal over 2 years ago.
Updated over 1 year ago.
Description
In the current code, certificates are created manually using ndnsec. The testing is done on a single machine, the same keychain is used by all the entities so certificate management is not required. Given that some entities will run on a different machine (e.g. consumer, producer), bootstrapping and certificate management will be required.
Related issues
1 (1 open — 0 closed)
- Assignee set to Tianyuan Yu
Here are the discussion notes regarding the security bootstrapping.
Goal:
- Enabling md2k data consumers and the mguard controller communicating securely.
- The mguard controller here refers to an NDN entity that consists of Attribute Authority, Data Publisher and Trust Zone Controller as logical modules.
Assumption:
- md2k data consumers have already obtained identities from other trust zones.
Requirements:
- The mguard controller and md2k data consumers need to mutually authenticate each other.
- md2k data consumers need to accept mguard controller's self-signed certificate as its trust anchor.
- md2k data consumers need to obtain certificate that can be used to represent the identity inside the mguard trust zone.
- md2k data consumers need to obtain trust policies in mguard trust zone so that it can validate mguard controller's Data.
- mguard controller need to obtain trust policies in md2k data consumers' trust zones so that it can validate md2k data consumer's certificate.
Initial Design for the Testbed Deployment Scenario
- md2k data consumers obtain identities and Testbed certificate through Testbed NDNCERT system.
- md2k data consumers authenticate mguard controller through software installation. md2k data users obtain the software distribution point from out-of-band shared git URL and download through HTTPS. The software package embeds the trust policies together with the mguard controller's self-signed certificate, which is also the mguard trust zone's trust anchor.
- md2k data consumers obtain mguard trust zone's trust anchor and trust policies as above described.
- mguard controller obtains Testbed trust policies and trust anchor through manual configuration.
- Status changed from New to In Progress
- Related to Task #5220: Automatically verify public key certificate from the users added
Also available in: Atom
PDF