-
Notifications
You must be signed in to change notification settings - Fork 13
NDNCERT CA Configuration
A CA configuration is for a name owner to manage its NDNCERT-based Certificate Authority (CA).
Such configuration is a JSON format file.
To be more specific, it has a format as follow (each [description] represent a value that the user should fulfill).
{
"ca-prefix": "[CA NDN name]",
"issuing-freshness": "[a number in unit of second]",
"validity-period": "[a number in unit of day]",
"ca-info": "[a brief description of the CA]",
"probe": "[JSON attribute]:[JSON attribute]:[...]"
"supported-challenges":
[
{ "type": "[Challenge ID]" },
{ "type": "[Challenge ID]" }
]
"name-assignment":
{
"[type]": "[format-option]"
}
}
Details of each JSON attribute is as follow.
- (required) ca-prefix: CA name prefix
- (required) issuing-freshness: The freshness of newly issued certificate Data packet
- (required) validity-period: The MAXIMUM validity period of newly issued certificate Data packet
- (optional) ca-info: A readable brief introduction of the CA
- (optional) probe: If a user wants to enforce the PROBE (name assignment process), the user needs to set this value to be a list of JSON attributes in the format of
[JSON attribute]:[JSON attribute]:...:[JSON attribute]. As an example, if the CA requires the PROBE Interest carries requester's email and full name, the probe should beemail:full-name. - (required) supported-challenges: A list of challenges that are supported by the CA
- (optional) name-assignment: A list of name assignment functions that are used by the CA. Detail in the section below.
A CA configuration example:
{
"ca-prefix": "/example",
"issuing-freshness": "720",
"validity-period": "360",
"ca-info": "An example NDNCERT CA",
"probe": "email:name"
"supported-challenges":
[
{ "type": "PIN" },
{ "type": "Email" }
]
"name-assignment":
{
"param": "/name/email"
"hash": "/email"
"random": "doesNotMatter"
}
}
The NDNCERT inplementation includes an set of pre-defined name assignment function. The CA operator can also change the code to provide custom assignment functions if needed.
The available assignment function types supported are param, hash, random.
-
param: Format a name based on the input probe parameters. The config format is similar to the NDN naming. For example, if the provided format is/group/name, then the returned name for probe{group: irl, name: ndncert}will be/irl/ndncert. -
hash: Format a name based on the hash of the input probe parameters. The format is similar to the NDN naming. For example, if the provided format is/group/name, then the returned name for probe will be hash of the value ofgroupandnamefrom the probe. -
random: Format a name by random integer. For any probe, will return a random number as name.
The configuration also allows for multiple naming suggestions. For example, if use param "/name" and random are both acceptable, then with configuration
{
"param": "/name",
"random": ""
}
Both naming assignment output will be returned in the probe response.
The NDNCERT inplementation includes an set of pre-defined redirection condition function. The CA operator can also change the code to provide custom Sub-CA redirection if needed, which are returned to client with the probe extension.
The available assignment function types supported are param.
-
param: Format a name based on the input probe parameters. The config format is similar to the NDN naming. For example, if the provided format isgroup=irl&name=ndncert, then the returned name for probe{group: irl, name: ndncert}will be redirected to the given site.
The configuration also allows for multiple redirection suggestions. For example, if use param "/name" and random are both acceptable, then with configuration
"redirect-to":
[
{
"ca-prefix": "/ndn/edu/ucla",
"certificate": "..."
"predicate-type": "param",
"predicate-param": "site=ucla.edu"
},
{
"ca-prefix": "/ndn/edu/ucla/cs",
"certificate": "..."
"predicate-type": "param",
"predicate-param": "site=cs.ucla.edu"
}
]
Both redirection will be evaluated and will be returned in the probe response with extension.