Version 9 - History - Trust Model - mGuard - NDN project issue tracking system

Trust Model » History » Version 9

Suravi Regmi, 11/25/2025 09:25 PM

-Suravi Regmi
+# Trust Model
-Suravi Regmi
+## Signing chain
 ![](cert signing chain.png)
 Suravi Regmi
-Suravi Regmi
+---
 Suravi Regmi
-Suravi Regmi
+## Trust Model
-Suravi Regmi
+![trust anchor](Group 71.png)
 Suravi Regmi
 ----
-Suravi Regmi
+## Component identities
 Suravi Regmi
-Suravi Regmi
+### Root / Site CA
-Suravi Regmi
+**Identity:** `/ndn/md2k`
 **Type:** Self-signed root CA
 **Trust Anchor:** `md2k-trust-anchor.ndncert`
 Suravi Regmi
-Suravi Regmi
+All components ultimately chain to this root.Consumers load this file so they can trust any certificate issued under `/ndn/md2k`.
 Suravi Regmi
-Suravi Regmi
+**Identities Signed by the Root CA**
 Suravi Regmi
 The root `/ndn/md2k` signs:
 Suravi Regmi
 - `/ndn/md2k/mguard/controller`
-Suravi Regmi
+- `/ndn/md2k/mguard/aa`
 - `/ndn/md2k/mguard/dd40c` (producer)
 - All consumer identities (example: `/ndn/md2k/adam`)
 Suravi Regmi
-Suravi Regmi
+Defines the trust boundary.
-Suravi Regmi
+---
-Suravi Regmi
+### Controller (/ndn/md2k/mguard/controller)
 * Signs **POLICYDATA.**
 * Issues policy decisions (who can access what).
 * Does not decrypt or validate ABE content.
 ### Attribute Authority (AA) (/ndn/md2k/mguard/aa)
 * Signs **PUBPARAMS.**
 * Generates and signs ** DKEYs**  (consumer ABE private keys).
 * Only entity holding ABE master secret.
 ---
 ### Producer (/ndn/md2k/mguard/dd40c)
 Signs and serves  stream certificates.
-Suravi Regmi
+The producer identity `/ndn/md2k/mguard/dd40c` signs all stream identities:
 - `/ndn/md2k/mguard/dd40c/phone/accelerometer`
 - `/ndn/md2k/mguard/dd40c/phone/gyroscope`
 - `/ndn/md2k/mguard/dd40c/phone/gps`
 - `/ndn/md2k/mguard/dd40c/phone/battery`
 - `/ndn/md2k/mguard/dd40c/data_analysis/gps_episodes_and_semantic_location`
-Suravi Regmi
+These stream identities are used to sign **manifests**, **encrypted DATA**, and **CK packets**.
-Suravi Regmi
+**Producer validates:**
-Suravi Regmi
+- AA public parameters (`/aa/PUBPARAMS`)
 Suravi Regmi
-Suravi Regmi
+**Publishes:**
 * Encrypted DATA (digest-signed for NAC-ABE)
 * CK Data (digest-signed)
 * MANIFESTS (RSA-signed)
 Suravi Regmi
-Suravi Regmi
+**Producer serves:**
-Suravi Regmi
+- Producer certificate
 - All stream certificates
 ---
-Suravi Regmi
+### Stream Identities (/ndn/md2k/mguard/dd40c/phone/…)
 Suravi Regmi
-Suravi Regmi
+* Used to sign RSA-signed objects (manifest).
 * metadata, DATA, CK(handled by nac-abe)
 * Each stream has its own identity and cert.
 ---
 ### Consumer (e.g./ndn/md2k/adam)
 **Consumer validates:**
-Suravi Regmi
+- AA parameters (RSA)
 - DKEY segments (RSA)
 - Controller POLICYDATA (RSA)
 - Stream manifests (RSA)
 - CK packets (digest)
 - Encrypted data segments (digest)
 All rules validated using the consumers trust schema.
 Consumer decrypts:
 . Encrypted application DATA → extract CK name
 . Fetch CK → decrypt with DKEY
 . Decrypt DATA using CK
 The consumer uses three rules:
 . **AA public parameters and DKEY validation**
    `/ndn/md2k/mguard/aa/*` signed by AA (RSA), chaining to root.
 . **Controller POLICYDATA replies**
    `/ndn/md2k/mguard/controller/*` signed by controller (RSA), chaining to root.
 . **Stream and producer content**
    `/ndn/md2k/mguard/dd40c/*`
    Allows:
    - `sha256` (digest) for encrypted DATA, CK, metadata
    - `rsa-sha256` for manifests, stream certs
    KeyLocator must be a prefix of the Data name.
-Suravi Regmi
+All validations ultimately chain back to `/ndn/md2k`.

Project

General

Profile

mGuard

Trust Model » History » Version 9