PublicKey Info Base » History » Version 3
Yingdi Yu, 07/07/2014 10:22 PM
1 | 1 | Yingdi Yu | Public key Info Base (PIB) Service |
---|---|---|---|
2 | ================================== |
||
3 | |||
4 | ## Public Key Info Management |
||
5 | |||
6 | NDN data packets are secured through digital signatures. |
||
7 | 2 | Yingdi Yu | In order to generate a valid signature, an NDN application needs to know not only the correct key to use but also the correct public key information that should be put into the `KeyLocator` of a data packet. |
8 | The information needs to be managed locally on the system where the application is running. |
||
9 | |||
10 | The information related to keys is managed at three granularities: identities, keys, and certificates. |
||
11 | A key is always associated with a namespace, called "identity". |
||
12 | An identity however may have more than one keys bound. |
||
13 | Among these keys, only one is the default key of the identity. |
||
14 | If only identity is provided when signing a packet, the default key of the identity will be used to sign the packet. |
||
15 | |||
16 | A certificate is always associated with the key in the certificate |
||
17 | If a certificate is provided when signing a packet, the corresponding private key should be used to sign the packet |
||
18 | and the name of the certificate name may be put into the `KeyLocator` of the packet. |
||
19 | |||
20 | A key may have more than one certificates (e.g., certificates may be issued by different parties). |
||
21 | Among these certificates, only one is the default certificate of the key. |
||
22 | The default certificate of the default key of an identity is the default certificate of the identity. |
||
23 | If only identity is provided when signing a packet, the name of the default certificate of the identity may be put into the `KeyLocator` of the packet. |
||
24 | |||
25 | 3 | Yingdi Yu | All the information above may be accessed by different APIs and applications on the same system, |
26 | therefore it is desirable to make the information provisioning as a system service. |
||
27 | 1 | Yingdi Yu | |
28 | 3 | Yingdi Yu | Since public keys and certificates are supposed to be publicly available, |
29 | the service also serves as a local storage of certificate and public keys, |
||
30 | besides providing the public key related information. |
||
31 | 1 | Yingdi Yu | |
32 | 3 | Yingdi Yu | ## PIB management model |
33 | 1 | Yingdi Yu | |
34 | 3 | Yingdi Yu | The public key information of each system user is managed separately in PIB. |
35 | For now, PIB service is a system service (i.e., run by root). |
||
36 | PIB service may be separated into several user services (i.e., run by each user) in the future. |
||
37 | 1 | Yingdi Yu | |
38 | 3 | Yingdi Yu | Each user has three tables in PIB: identity table, key table, and certificate table. |
39 | The public key information of a user is managed in these tables. |
||
40 | Each user has its own default identity. |
||
41 | From the default identity, the default key and certificate of the user can be derived. |
||
42 | 1 | Yingdi Yu | |
43 | 3 | Yingdi Yu | |
44 | The read access to a user's public key information is not restricted, |
||
45 | while the write access to a user's public key information requires authentication. |
||
46 | The authentication rules are defined as: |
||
47 | |||
48 | * Each user has a local management key |
||
49 | |||
50 | |||
51 | ## PIB Service Protocol |
||
52 | |||
53 | PIB service provides an interface to NDN applications for public key info lookup. |
||
54 | The interface is defined in terms of NDN packets (interest/data). |
||
55 | A query to PIB is expressed as a **[signed interest](http://redmine.named-data.net/projects/nfd/wiki/Signed_Interests)**. |