Version 5 - History - Trust Model - mGuard - NDN project issue tracking system

Trust Model » History » Version 5

Suravi Regmi, 11/25/2025 05:27 PM

-Suravi Regmi
+# Trust Model
-Suravi Regmi
+## Signing chain
 ![](cert signing chain.png)
 Suravi Regmi
-Suravi Regmi
+---
 Suravi Regmi
-Suravi Regmi
+## Trust Model
-Suravi Regmi
+![trust anchor](Group 71.png)
 Suravi Regmi
 ----
-Suravi Regmi
+### Component identities
 Suravi Regmi
 Suravi Regmi
 ## 1. Root Identity
 **Root / Site CA**
 **Identity:** `/ndn/md2k`
 **Type:** Self-signed root CA
 **Trust Anchor:** `md2k-trust-anchor.ndncert`
 All components ultimately chain to this root.
 Consumers load this file so they can trust any certificate issued under `/ndn/md2k`.
 ---
 **Identities Signed by the Root CA**
 The root `/ndn/md2k` signs:
 - `/ndn/md2k/mguard/controller`
 - `/ndn/md2k/mguard/aa`
 - `/ndn/md2k/mguard/dd40c` (producer)
 - All consumer identities (example: `/ndn/md2k/adam`)
 ---
 **Stream Identities Signed by the Producer**
 The producer identity `/ndn/md2k/mguard/dd40c` signs all stream identities:
 - `/ndn/md2k/mguard/dd40c/phone/accelerometer`
 - `/ndn/md2k/mguard/dd40c/phone/gyroscope`
 - `/ndn/md2k/mguard/dd40c/phone/gps`
 - `/ndn/md2k/mguard/dd40c/phone/battery`
 - `/ndn/md2k/mguard/dd40c/data_analysis/gps_episodes_and_semantic_location`
 These stream identities are used to sign **manifests**, **encrypted DATA**, and **CK packets**.
 The producer must now serve the certificates for these streams
 (interest filter on each stream's certificate prefix).
 ---
-Suravi Regmi
+**Producer Behavior**
 Suravi Regmi
-Suravi Regmi
+Producer validates:
 - AA public parameters (`/aa/PUBPARAMS`)
 Producer signs:
 - Stream manifests (RSA) using stream identity certificates
 - CK packets (digest)
 - Encrypted data (digest)
 Producer serves:
 - Producer certificate
 - All stream certificates
 Producer no longer signs manifests with its own identity;
 manifests are now signed by stream identities.
-Suravi Regmi
+---
 Suravi Regmi
 **Consumer Behavior**
 The consumer performs the most validation.
 Consumer validates:
 - AA parameters (RSA)
 - DKEY segments (RSA)
 - Controller POLICYDATA (RSA)
 - Stream manifests (RSA)
 - CK packets (digest)
 - Encrypted data segments (digest)
 All rules validated using the consumers trust schema.
 Consumer decrypts:
 . Encrypted application DATA → extract CK name
 . Fetch CK → decrypt with DKEY
 . Decrypt DATA using CK
 The consumer uses three rules:
 . **AA public parameters and DKEY validation**
    `/ndn/md2k/mguard/aa/*` signed by AA (RSA), chaining to root.
 . **Controller POLICYDATA replies**
    `/ndn/md2k/mguard/controller/*` signed by controller (RSA), chaining to root.
 . **Stream and producer content**
    `/ndn/md2k/mguard/dd40c/*`
    Allows:
    - `sha256` (digest) for encrypted DATA, CK, metadata
    - `rsa-sha256` for manifests, stream certs
    KeyLocator must be a prefix of the Data name.
 All validations ultimately chain back to `/ndn/md2k`.

Project

General

Profile

mGuard

Trust Model » History » Version 5