Re: [icnrg] recursive key Lookup in CCNX
Ken Calvert <calvert@netlab.uky.edu> Tue, 05 May 2020 00:52 UTC
Return-Path: <calvert@netlab.uky.edu>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41373A1321 for <icnrg@ietfa.amsl.com>; Mon, 4 May 2020 17:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netlab.uky.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcKllhSJ84vZ for <icnrg@ietfa.amsl.com>; Mon, 4 May 2020 17:52:44 -0700 (PDT)
Received: from mail.netlab.uky.edu (mail.netlab.uky.edu [128.163.140.42]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A0283A132E for <icnrg@irtf.org>; Mon, 4 May 2020 17:52:41 -0700 (PDT)
Received: from [192.168.73.191] (cpe-96-29-182-38.kya.res.rr.com [96.29.182.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netlab.uky.edu (Postfix) with ESMTPSA id 8DB97180C5; Mon, 4 May 2020 20:52:39 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netlab.uky.edu; s=default; t=1588639959; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Jl2n86hWQbRaaOaVXM8UeKOYyetgxtr9Y3lhQ+kogRo=; b=hQLBEWq814uryluJOCQJYoDAUkAKsu7YRqbp3sQWhUg83ZZU/CStj00IIsF9Fl+vlzs9dS X7zRvIsIBI5WS7vI0UyxMsxPXfmzRt8tO4Pf4/g2yx9JtPMEXbonhcjercn5C7Qj5FXE7t 7ZbEA0QOcbD3UIs3aTmDzVC/0lfaCwRGfPpqWABA45MDm53CVHIU7NVaGl3cfJ4laFNkDq 8lhQtQtS043M428e0WZ24e0h2iKa418qQmwVRx22T9Bbf9lO0hui1WIPHcAikyB6BCTulV aQW+GEG4BqLFPycnnU7n0EVSP9b5rWOg1x4CzF/KghBCz51R+9daFWEyIYPx5g==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Ken Calvert <calvert@netlab.uky.edu>
In-Reply-To: <445C0FB8-12E3-45FE-888D-A87634497F2C@parc.com>
Date: Mon, 04 May 2020 20:52:36 -0400
Cc: "icnrg@irtf.org" <icnrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4C417993-76E1-4A4B-B210-E6E10B287E36@netlab.uky.edu>
References: <91F2CCB5-F962-4DEF-A8C2-B8BCCD32F185@netlab.uky.edu> <AA95366C-99BF-4333-B6BC-366BE12990F5@parc.com> <74542F45-9E40-485F-A891-CAA92956CC1B@netlab.uky.edu> <445C0FB8-12E3-45FE-888D-A87634497F2C@parc.com>
To: Marc Mosko <mmosko@parc.com>
X-Mailer: Apple Mail (2.3445.9.5)
Authentication-Results: mail.netlab.uky.edu; auth=pass smtp.auth=calvert@netlab.uky.edu smtp.mailfrom=calvert@netlab.uky.edu
X-Spamd-Result: default: False [0.40 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:10796, ipnet:96.28.0.0/15, country:US]; MID_RHS_MATCH_FROM(0.00)[]
Archived-At: <https://mailarchive.ietf.org/arch/msg/icnrg/nzh4xHPDMZnO7K4P4z9Xzpkq1qI>
Subject: Re: [icnrg] recursive key Lookup in CCNX
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 00:52:46 -0000
Marc - > I wanted to follow-up on list with some discussions Ken and I have had in private. Thanks for clarifying things for me. I do understand the constraint more precisely now, and (I think) the reasoning behind it. Part of my dismay was because I worry that requiring trust to be characterized through X.509 certificates would lead to reliance on existing web PKI, which IMO would not be a good outcome - though obviously opinions on that may vary. Thanks also for clarifying the ways to do what I wanted to do, for example by defining new fields, as you describe below. Ken > One of the goals we had in writing 8569 / 8609 is for a given field perform only one job. It should be clear what a KeyLink is and how to interpret it, just like other fields. At times in CCNx 0.x, one field would be interpreted one way in one context (often implied by the publisher or based on external data) and interpreted another way in another context. > > In the case of recursive key lookup to validate signatures, the processing would go something like this: > > 1. Content object O1 has signature S1 with keyid K1 and a KeyLink to name N2. A verifier without a corresponding public key to K1 would need to fetch N2 to verify the signature S1. > 2. Content object O2 with name N2 has a signature S2 with keyed K1 and a payload of a certificate C1 that wraps public key with keyid K1. The verifier in step 1 now has the public key that it can verify matches K1 and verifies signature S1. It is done. Trust is a separate issue from mechanical verification of the signature. > 3. In CCNx 0.x, content object O2 usually continued with another KeyLink (called KeyLocator back then) to the certificate of the signer of C1 to establish the trust chain. This second KeyLink in the ValidationAlogrithm section (to use current terms) is not used to verify a ValidationAlogirthm signature, but to establish trust by fetching the next step in the certificate chain of C1. The retrieved content object would not be used to verify the signature of O2, but a completely different purpose. > > If one were to propose a trust mechanism that uses a field in the ValidationAlgorithm section to fetch the next certificate in a chain, one should make a new field, for example CertificateChainLink, for that purpose. The KeyLink is to verify a signature, the CertificateChainLink is to fetch an issuer’s certificate. > > Another possibility is to use the Issuer Alternative Name to embed a URI in the certificate with a ccnx: schema link rather than use an external field CertificateChainLink. > > If one were to develop a CCNx-native certificate, rather than using X.509, based on the ValidationAlgorithm, I think one would likely define additional ValidationDependentData, like CertificateChainLink, to realize that structure -- or even use a more flexible mechanism like SPKI/SDSI or newer mechanisms that can transfer the whole trust chain digests at once. > > Marc >
- [icnrg] recursive key Lookup in CCNX Ken Calvert
- Re: [icnrg] recursive key Lookup in CCNX Ken Calvert
- Re: [icnrg] recursive key Lookup in CCNX Marc Mosko
- Re: [icnrg] recursive key Lookup in CCNX Ken Calvert
- Re: [icnrg] recursive key Lookup in CCNX Marc Mosko
- Re: [icnrg] recursive key Lookup in CCNX Marc Mosko
- Re: [icnrg] recursive key Lookup in CCNX Ken Calvert