Internet DRAFT - draft-yan-icnrg-cpki
draft-yan-icnrg-cpki
ICNRG Z. Yan
Internet-Draft CNNIC
Intended status: Standards Track 28 July 2015
Expires: January 28, 2016
Architecture of Content Public Key Infrastructure
draft-yan-icnrg-cpki-00.txt
Abstract
With the wide deployment of Named Data Networking (NDN), secure and
trustful content management architecture is needed in order to
authenticate the producer of the content and authorize the publisher
of the content. This draft proposes the architecture of Content
Public Key Infrastructure (CPKI) for these motivations.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 28, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Yan Expires January 28, 2016 [Page 1]
Internet-Draft Architecture of CPKI 28 July 2015
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 2
2. CPKI architecture . . . . . . . . . . . . . . . . . . . . . . 2
3. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 3
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3
1. Requirements
The first-class citizen in NDN is the content, and the secure and
trustful management of content in NDN is necessary for the wide
deployment of NDN. Specifically, there are two basic requirements:
1) It should be possible to authenticate the producer of the content.
In this way, the copyright and integrity of the content can be
guaranteed.
2) It should be possible to authorize the publishers of the content.
In this way, the distributed routing principle can be securely
followed with the above consideration.
2. CPKI architecture
1) Certificates
Certificates in the CPKI are called content certificates. Content
certificates attest to the allocation by the (certificate) issuer of
content to the publishers (including producer). They do this by
binding the public key contained in the content certificate to the
content included in the extended NDN Data packets.
o Producer certificates: Any content producer must be able to issue
producer certificate to bind the content with its origination.
o Publisher certificates: The producer will allocate publisher
certificate to the authorized publishers. Besides, a Trust
Locator (TL) should be bound which directs to the issuer of the
publisher certificate.
2) Trust model
Yan Expires January 28, 2016 [Page 2]
Internet-Draft Architecture of CPKI 28 July 2015
Each publisher (including the producer) in NDN, who is responsible
for its content (either because the publisher created it, verified
it, or merely because the publisher vouches for it), is always
associated with a certificate as illustrated above.
In default, the verification of the producer certificate should
follow the name structure from lower layer to upper layer, as the
trust model in DNSSEC. Based on this principle, the parent
certificate issuer publishes the certificate to its children as the
hierarchical relationship between the content names.
For the verification of publisher certificate, the TL is an index.
With the TL, the issuer can be located and then the hierarchical
trust chain is followed.
3. Conclusions
CPKI aims to establish a model to support the content origination
authentication and transmission authorization. Based on CPKI, other
security schemes can be added on.
[In the future, more details will be given to make CPKI
comprehensive.]
Author's Address
Zhiwei Yan
CNNIC
No.4 South 4th Street, Zhongguancun
Beijing 100190
China
EMail: yan@cnnic.cn
Yan Expires January 28, 2016 [Page 3]