Version 4 - History - Trust Model - mGuard - NDN project issue tracking system

Trust Model » History » Version 4

Suravi Regmi, 11/25/2025 05:24 PM

-Suravi Regmi
+# Trust Model
-Suravi Regmi
+## Signing chain
 ![](cert signing chain.png)
 Suravi Regmi
-Suravi Regmi
+---
 Suravi Regmi
-Suravi Regmi
+## Trust Model
-Suravi Regmi
+![trust anchor](Group 71.png)
 Suravi Regmi
 ----
-Suravi Regmi
+### Component identities
 Suravi Regmi
-Suravi Regmi
+**Producer Behavior**
 Suravi Regmi
-Suravi Regmi
+Producer validates:
 - AA public parameters (`/aa/PUBPARAMS`)
 Producer signs:
 - Stream manifests (RSA) using stream identity certificates
 - CK packets (digest)
 - Encrypted data (digest)
 Producer serves:
 - Producer certificate
 - All stream certificates
 Producer no longer signs manifests with its own identity;
 manifests are now signed by stream identities.
 **Consumer Behavior**
 The consumer performs the most validation.
 Consumer validates:
 - AA parameters (RSA)
 - DKEY segments (RSA)
 - Controller POLICYDATA (RSA)
 - Stream manifests (RSA)
 - CK packets (digest)
 - Encrypted data segments (digest)
 All rules validated using the consumers trust schema.
 Consumer decrypts:
 . Encrypted application DATA → extract CK name
 . Fetch CK → decrypt with DKEY
 . Decrypt DATA using CK
 The consumer uses three rules:
 . **AA public parameters and DKEY validation**
    `/ndn/md2k/mguard/aa/*` signed by AA (RSA), chaining to root.
 . **Controller POLICYDATA replies**
    `/ndn/md2k/mguard/controller/*` signed by controller (RSA), chaining to root.
 . **Stream and producer content**
    `/ndn/md2k/mguard/dd40c/*`
    Allows:
    - `sha256` (digest) for encrypted DATA, CK, metadata
    - `rsa-sha256` for manifests, stream certs
    KeyLocator must be a prefix of the Data name.
 All validations ultimately chain back to `/ndn/md2k`.

Project

General

Profile

mGuard

Trust Model » History » Version 4