Override certificate name parts in KeyLocator

Question

Override certificate name parts in KeyLocator

Opened this issue 4 years ago · 1 comments

Since #72, KeyLocator can contain either a key name or a certificate name.
When the validator operates in a network environment that uses a distinct certificate chain than what appears the KeyLocator, it may be necessary to override parts of the certificate name before fetching certificate.

This feature is to introduce an "issuer id override" option in ndn_sig_verifier_verify_*.
After specifying this option to <issuer-id>:

For KeyLocator name that is a key name /<subject>/KEY/<key-id>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id> CanBePrefix=true.
For KeyLocator name that is a certificate name with a different issuer id /<subject>/KEY/<key-id>/<issuer-other>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id> CanBePrefix=true.
For KeyLocator name that is a certificate name with the same issuer id /<subject>/KEY/<key-id>/<issuer-id>/<version>, certificate retrieval Interest should be /<subject>/KEY/<key-id>/<issuer-id>/<version> CanBePrefix=false.

Answer 1 · 2020-05-29T19:21:18.000Z

Cross-project links:
https://redmine.named-data.net/issues/5113