security: add certificate revocation record#189
Conversation
|
https://github.com/UCLA-IRL/ndnrevoke. Please use this as reference for Revocation Record. |
Co-authored-by: Cursor <cursoragent@cursor.com>
|
Thanks for the pointer. I looked through The public API is still limited to the requested low-level surface: Revoke(cert ndn.Data)
IsRevoked(cert ndn.Data) boolInternally, I reran: go test ./std/security -run 'TestCertificateRevocationRecord' -count=20
go test -race ./std/security
go test ./std/security
make testAll passed. |
|
Thanks for the initial work! I saw that you currently have a struct storing revocation records and make the code checks against that. That's exactly the next step we want to work on. The library has a module trust_config that automates the data authentication and authorization workflow, and actually the downstream applications who uses ndnd mainly rely on the high-level APIs that are binded to this module to get rid of the crypto details. At high level, it executes the NDN trust schema and recursively climb the certification chain for a received data until reaching a bootstrapped (or otherwise externally authenticated) trust anchor. We need corporate the revocation here -- so obviously we need to store received revocation records here....but first lets think about design space. |
|
Thanks for the context. I’ll pause on further implementation for now and read through |
|
I went through the My understanding is that I also see why the Envelope-related code can look like it jumps between trust anchors. I’ll avoid touching that part for now unless needed, and focus only on where revocation records should be stored and checked inside the current validation workflow. |
|
Based on my current understanding, I see the next step as a design problem around The current PR gives us the low-level revocation record primitive. The next question is where that record should live and when I think the design space is:
So my proposed next step is to start with (1), while shaping the store so (2) can fit naturally later. I’ll keep the Envelope-related code untouched for now and only use the Envelope paper as context for why revocation belongs as a validation/checker step. Does this direction sound right before I update the PR further? |
|
Sharing the HLD and diagram for the TrustConfig revocation design discussed above. Attachments
HLDGoal: integrate revocation into the high-level validation workflow, not only as the low-level Proposed flow flowchart TD
dataPacket["Received Data"] --> validate["TrustConfig.Validate"]
validate --> keyLocator["Read KeyLocator"]
keyLocator --> certSource["Cert from cache, fetch, or direct args"]
certSource --> revokedCheck["Check TrustConfig revocation store"]
revokedCheck -->|"revoked"| reject["Fail validation"]
revokedCheck -->|"not revoked"| schemaCheck["Trust schema check"]
schemaCheck --> sigCheck["Signature check"]
sigCheck --> certChain["Validate signing cert"]
certChain --> validate
Where to check revocation
Sequenced design space
Out of scope for now
The draw.io diagram shows the same flow with cert sources, fail path, trust-anchor path, and notes on where the store should live. |
|
Following up on the design proposal above — no rush, just checking whether the direction makes sense before I start coding. To summarize what I'd do first if this looks reasonable:
I'll hold off on further PR changes until I hear back. Happy to adjust the plan if you'd prefer a different starting point (e.g. storing received revocation record Data earlier, or a different hook in the validation path). |
For storing revocation records, I am thinking probably we don't need a separate store. The same store for certificate works for revocation too, since both are data, and store support name-based query. For a certificate, it's straightforward to use naming convention to construct its potential revocation name and query the store. Yeah now let's assume revocation records are already delivered to local...we need an API to install revocation records. Revocation records has a notBefore -- marking data produced before this timestamp should be valid. It's related to #186, which I am trying to review and merge now. We need to implement the timestamp checking logic after we merged the feature (soon). |
LGTM. Not sure if your diagram captures that, but we need to skip trust anchor for revocation checking. |
|
Thanks for the feedback — this helps a lot. A few notes on how I'm reading it and what I'll do next. On storage: I'll drop the idea of a separate On the install API: Agreed that the next concrete piece is an API to install received revocation records locally (assuming they're already delivered). I'll shape that before wiring checks into On validation hooks: I'll keep the same hook points from the HLD (cache hit, post-fetch before cache insert, direct On On network fetch: I'll start with local install + store lookup only, and leave comments in code where a future Interest-based revocation fetch could plug in. Plan for the next PR update:
I'll start on this unless you'd rather split install vs. validation into separate PRs. |
|
Pushed the TrustConfig integration in
Tests: |
|
Addressing the feedback that revocation records should be Data packets (not in-memory structs):
Tests pass ( |
Summary
RevokeandIsRevokedcertificate revocation APIs instd/security.UCLA-IRL/ndnrevoke's revocation record shape.REVOKE-style record names from certificate names and keep record metadata including the certificate name, public key hash, reason, and timestamp.Test plan
go test ./std/security -run 'TestCertificateRevocationRecord' -count=20go test -race ./std/securitygo test ./std/securitymake test