ICNRG                                                             Z. Yan
Internet-Draft                                                     CNNIC
Intended status: Standards Track                            28 July 2015
Expires: January 28, 2016


           Architecture of Content Public Key Infrastructure
                      draft-yan-icnrg-cpki-00.txt

Abstract

   With the wide deployment of Named Data Networking (NDN), secure and
   trustful content management architecture is needed in order to
   authenticate the producer of the content and authorize the publisher
   of the content.  This draft proposes the architecture of Content
   Public Key Infrastructure (CPKI) for these motivations.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 28, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Yan                     Expires January 28, 2016                [Page 1]

Internet-Draft            Architecture of CPKI              28 July 2015


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  CPKI architecture . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .   3
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Requirements

   The first-class citizen in NDN is the content, and the secure and
   trustful management of content in NDN is necessary for the wide
   deployment of NDN.  Specifically, there are two basic requirements:

   1) It should be possible to authenticate the producer of the content.
   In this way, the copyright and integrity of the content can be
   guaranteed.

   2) It should be possible to authorize the publishers of the content.
   In this way, the distributed routing principle can be securely
   followed with the above consideration.

2.  CPKI architecture

   1) Certificates

   Certificates in the CPKI are called content certificates.  Content
   certificates attest to the allocation by the (certificate) issuer of
   content to the publishers (including producer).  They do this by
   binding the public key contained in the content certificate to the
   content included in the extended NDN Data packets.

   o  Producer certificates: Any content producer must be able to issue
      producer certificate to bind the content with its origination.

   o  Publisher certificates: The producer will allocate publisher
      certificate to the authorized publishers.  Besides, a Trust
      Locator (TL) should be bound which directs to the issuer of the
      publisher certificate.

   2) Trust model




Yan                     Expires January 28, 2016                [Page 2]

Internet-Draft            Architecture of CPKI              28 July 2015


   Each publisher (including the producer) in NDN, who is responsible
   for its content (either because the publisher created it, verified
   it, or merely because the publisher vouches for it), is always
   associated with a certificate as illustrated above.

   In default, the verification of the producer certificate should
   follow the name structure from lower layer to upper layer, as the
   trust model in DNSSEC.  Based on this principle, the parent
   certificate issuer publishes the certificate to its children as the
   hierarchical relationship between the content names.

   For the verification of publisher certificate, the TL is an index.
   With the TL, the issuer can be located and then the hierarchical
   trust chain is followed.

3.  Conclusions

   CPKI aims to establish a model to support the content origination
   authentication and transmission authorization.  Based on CPKI, other
   security schemes can be added on.

   [In the future, more details will be given to make CPKI
   comprehensive.]

Author's Address

   Zhiwei Yan
   CNNIC
   No.4 South 4th Street, Zhongguancun
   Beijing  100190
   China

   EMail: yan@cnnic.cn


















Yan                     Expires January 28, 2016                [Page 3]