Certificate¶
Since signature verification is a common operation in NDN applications, it isimportant to define a common certificate format to standardize the public keyauthentication procedure. As every NDN data packet is signed, a data packetthat carries a public key as content is conceptually a certificate. However,the specification of a data packet alone is not sufficient to serve as thespecification of a common NDN certificate format, because additional provisionsare required for the latter. For example, a certificate follows a specificnaming scheme and may need to include validity period, revocation information,etc. This section defines the naming and structure of NDN certificates.
Structure of an NDN certificate +--------------------------+ | Name | +--------------------------+ | MetaInfo | |+------------------------+| || ContentType: KEY(2) || |+------------------------+| |+------------------------+| || FreshnessPeriod: ~1h || |+------------------------+| +--------------------------+ | Content | |+------------------------+| || Public Key || |+------------------------+| +--------------------------+ | SignatureInfo | |+------------------------+| || SignatureType: ... || || KeyLocator: ... || || ValidityPeriod: ... || || ... || |+------------------------+| +--------------------------+ | SignatureValue | +--------------------------+
Certificate=DATA-TYPETLV-LENGTHName; /<IdentityName>/KEY/<KeyId>/<IssuerId>/<Version>MetaInfo; ContentType == KEY, FreshnessPeriod requiredCertificateContentCertificateSignatureInfoSignatureValueCertificateContent=CONTENT-TYPETLV-LENGTHSubjectPublicKeyInfoCertificateSignatureInfo=SIGNATURE-INFO-TYPETLV-LENGTHSignatureTypeKeyLocator[SignatureTime]ValidityPeriod*CertificateExtension
Name¶
The name of a certificate consists of five parts as shown below:
/<IdentityName>/KEY/<KeyId>/<IssuerId>/<Version>
A certificate name starts with the name of the identity to which the public key isbound. The identity is followed by a literalKEY GenericNameComponent and bytheKeyId,IssuerId, andVersion components.
KeyId is an opaque name component that identifies an instance of the public key inthe certificate namespace. The value ofKeyId is controlled by the namespace ownerand can be an 8-byte random number, the SHA-256 digest of the certificate’s publickey, a timestamp, or any other unique numerical identifier.
IssuerId is an opaque name component that identifies the issuer of the certificate.The value is controlled by the certificate issuer and, similar toKeyId, can be an8-byte random number, the SHA-256 digest of the issuer’s public key, or any otherfree-form identifier.
Version represents the version number of the certificate. This component is encodedas a VersionNameComponent, following either revision 1 (marker-based) or revision 3(type-based) of theNDN naming conventions.
For example:
/edu/ucla/cs/yingdi/KEY/%03%CD...%F1/%9F%D3...%B7/v=1617592200702\_________________/ \___________/\___________/\______________/ Identity Name KeyId IssuerId Version
MetaInfo¶
TheContentType must be set toKEY (2).
TheFreshnessPeriod must be explicitly specified. The recommended value is 3,600,000 (1 hour).
Content¶
TheContent element of a certificate contains the actual bits of the public key, formatted asa DER-encodedSubjectPublicKeyInfo structure.
SignatureInfo¶
TheSignatureInfo element of a certificate is required to include aValidityPeriodelement.
ValidityPeriod contains two TLV sub-elements:NotBefore andNotAfter, eachcarrying a UTC timestamp inISO 8601-1:2019 compact format without the final “Z” character(“YYYYMMDDThhmmss”, e.g., “20201231T235959”).NotBefore indicates when the certificatetakes effect whileNotAfter indicates when the certificate expires.
ValidityPeriod=VALIDITY-PERIOD-TYPETLV-LENGTHNotBeforeNotAfterNotBefore=NOT-BEFORE-TYPETLV-LENGTHIsoDate"T"IsoTimeNotAfter=NOT-AFTER-TYPETLV-LENGTHIsoDate"T"IsoTimeIsoDate=8DIGIT; YYYYMMDD (UTC)IsoTime=6DIGIT; hhmmss (UTC)
Extensions¶
A certificate may carry zero or more extension fields in itsSignatureInfo element.
An extension can be either critical or non-critical depending on its TLV-TYPE number.A critical TLV-TYPE means that if a validator cannot recognize or parse the extension,the validator must reject the whole certificate. Conversely, an extension with anon-critical TLV-TYPE may be ignored by the validator if it is not recognized. Refer tothe generalevolvability rules to determine whether a TLV-TYPE iscritical or not.
The TLV-TYPE number range [256, 511] is reserved for extensions. This document currentlydefines one extension:AdditionalDescription.
CertificateExtension=AdditionalDescription
AdditionalDescription¶
AdditionalDescription is a non-critical extension that provides additionalinformation about the certificate. The information is expressed as a set ofkey-value pairs. Both key and value are UTF-8 strings, e.g.,("Organization","UCLA"). The issuer of a certificate can specify arbitrarykey-value pairs to provide further details about the certificate.
AdditionalDescription=ADDITIONAL-DESCRIPTION-TYPETLV-LENGTH1*DescriptionEntryDescriptionEntry=DESCRIPTION-ENTRY-TYPETLV-LENGTHDescriptionKeyDescriptionValueDescriptionKey=DESCRIPTION-KEY-TYPETLV-LENGTH1*OCTETDescriptionValue=DESCRIPTION-VALUE-TYPETLV-LENGTH1*OCTET