X.509 Certification Path Validation - Entrust

X.509 certification path validation summary/conclusions
PKI deployment planning includes ensuring that products/services being deployed support the
requirements to protect relying parties. Some functional aspects that need to be carefully considered
include:
• CA support for inclusion of relevant infrastructure constraints;
• Central management of process constraints;
• Flexibility in configuring infrastructure and process constraints to suit specific and changing
needs; and
• Relying party path validation support for processing initialization and infrastructure constraints.
Given the vital role path validation plays in PKI, it is critical that relying party systems that perform path
validation implement the set of processes properly and in compliance with the requirements of the base
standards. Otherwise, relying parties may unknowingly place trust in untrustworthy certificates, defeating
the very purpose of the PKI. The PKITS test suite now provides an authoritative and comprehensive set
of conformance tests for all aspects of path validation. These tests are freely available, along with the test
data, from the NIST web site and can be run against a path validation system to ensure proper
functioning. In addition to the PKITS test suite, the bridge-enabled protection profile provides a valuable
companion specification describing the features that are required by a path validation implementation to
claim support for the bridge-enabled environment. Relying party systems that support all these features
and pass the corresponding PKITS tests provide a solid comprehensive path validation process.
© Copyright 2004 Entrust. www.entrust.com
All rights reserved. Page 15