The below specification is partially implemented since ndn-cxx 0.6.0, but it's being redesigned in #2766-30. This page is kept for historical purpose.

Certificate Bundle

Certificate Bundle protocol provides a way to retrieve a set of the certificates needed to authenticate a data packet within one RTT.

Certificate Bundle Packet Format

The Certificate Bundle is an encapsulation that consists of a list of certificates needed to authenticate an NDN Data packet.

A Certificate Bundle packet consists of multiple certificates starting with the certificate needed to validate the original data packet, followed by the certificate needed to validate the previous certificate, and so on. The certificates in the certificate bundle appear in the order in which they are needed for validation. A certificate bundle may have many segments if the list of certificates exceed the maximum packet size. Each segment will always have complete certificates.

The Certificate Bundle packet uses DigestSha256 signature which provides no provenance of the packet and is intended to protect against any unexpected modifications.

The Certificate Bundle Data packet is a TLV defined as follows:

CertificateBundle ::= DATA-TYPE TLV-LENGTH


The list of certificates in the BundleContent SHOULD be in the following order - the certificate to validate the target data packet, followed by the certificate to validate the first certificate and so on.

Naming Conventions

The name of the Certificate Bundle is an extension of the name of the target data packet which is to be verified. It starts with the associated name followed by a special name component “BUNDLE”, indicating that the content is a Certificate Bundle. After the BUNDLE component, there is a version number because it’s possible that the Certificate Bundle is updated. The last component of the Certificate Bundle name is a segment number in case the Certificate Bundle is too big to fit in one data packet. Note that the segment number 0 is present in the name of the first segment of Certificate Bundle even if there is only one segment of the bundle.

Hence the naming convention for the Certificate Bundle is as follows:


where the derived(data_name) is determined by the trust schema rules.

Well-known rules:

       1. If last name component in data_name is segment number, then

                    derived(data_name) = data_name.getPrefix(-1)

       2. If last name component is Implicit Digest , then

                    If second last name component is segment number, then 
                         derived(data_name) = data_name.getPrefix(-2) 
                         derived(data_name) = data_name.getPrefix(-1)

Updated by Junxiao Shi 10 months ago · 2 revisions