PublicKey Info Base » History » Version 3
Yingdi Yu, 07/07/2014 10:22 PM
| 1 | 1 | Yingdi Yu | Public key Info Base (PIB) Service |
|---|---|---|---|
| 2 | ================================== |
||
| 3 | |||
| 4 | ## Public Key Info Management |
||
| 5 | |||
| 6 | NDN data packets are secured through digital signatures. |
||
| 7 | 2 | Yingdi Yu | In order to generate a valid signature, an NDN application needs to know not only the correct key to use but also the correct public key information that should be put into the `KeyLocator` of a data packet. |
| 8 | The information needs to be managed locally on the system where the application is running. |
||
| 9 | |||
| 10 | The information related to keys is managed at three granularities: identities, keys, and certificates. |
||
| 11 | A key is always associated with a namespace, called "identity". |
||
| 12 | An identity however may have more than one keys bound. |
||
| 13 | Among these keys, only one is the default key of the identity. |
||
| 14 | If only identity is provided when signing a packet, the default key of the identity will be used to sign the packet. |
||
| 15 | |||
| 16 | A certificate is always associated with the key in the certificate |
||
| 17 | If a certificate is provided when signing a packet, the corresponding private key should be used to sign the packet |
||
| 18 | and the name of the certificate name may be put into the `KeyLocator` of the packet. |
||
| 19 | |||
| 20 | A key may have more than one certificates (e.g., certificates may be issued by different parties). |
||
| 21 | Among these certificates, only one is the default certificate of the key. |
||
| 22 | The default certificate of the default key of an identity is the default certificate of the identity. |
||
| 23 | If only identity is provided when signing a packet, the name of the default certificate of the identity may be put into the `KeyLocator` of the packet. |
||
| 24 | |||
| 25 | 3 | Yingdi Yu | All the information above may be accessed by different APIs and applications on the same system, |
| 26 | therefore it is desirable to make the information provisioning as a system service. |
||
| 27 | 1 | Yingdi Yu | |
| 28 | 3 | Yingdi Yu | Since public keys and certificates are supposed to be publicly available, |
| 29 | the service also serves as a local storage of certificate and public keys, |
||
| 30 | besides providing the public key related information. |
||
| 31 | 1 | Yingdi Yu | |
| 32 | 3 | Yingdi Yu | ## PIB management model |
| 33 | 1 | Yingdi Yu | |
| 34 | 3 | Yingdi Yu | The public key information of each system user is managed separately in PIB. |
| 35 | For now, PIB service is a system service (i.e., run by root). |
||
| 36 | PIB service may be separated into several user services (i.e., run by each user) in the future. |
||
| 37 | 1 | Yingdi Yu | |
| 38 | 3 | Yingdi Yu | Each user has three tables in PIB: identity table, key table, and certificate table. |
| 39 | The public key information of a user is managed in these tables. |
||
| 40 | Each user has its own default identity. |
||
| 41 | From the default identity, the default key and certificate of the user can be derived. |
||
| 42 | 1 | Yingdi Yu | |
| 43 | 3 | Yingdi Yu | |
| 44 | The read access to a user's public key information is not restricted, |
||
| 45 | while the write access to a user's public key information requires authentication. |
||
| 46 | The authentication rules are defined as: |
||
| 47 | |||
| 48 | * Each user has a local management key |
||
| 49 | |||
| 50 | |||
| 51 | ## PIB Service Protocol |
||
| 52 | |||
| 53 | PIB service provides an interface to NDN applications for public key info lookup. |
||
| 54 | The interface is defined in terms of NDN packets (interest/data). |
||
| 55 | A query to PIB is expressed as a **[signed interest](http://redmine.named-data.net/projects/nfd/wiki/Signed_Interests)**. |