3 years ago

X.509 Certification Path Validation - Entrust

X.509 Certification Path Validation - Entrust


X.509 certification path validation Introduction Certificate policies Policy mappings Policy constraints Inhibit any policy Name constraints Subject alternative name Policy controls Policy controls Policy controls Policy controls Name controls Name controls Figure 2: Path Validation Extensions The remaining standard certificate extensions serve other purposes, such as guidance for path development or support in locating revocation information. Those extensions are therefore outside the scope of this paper. However, for completeness they are listed below. Note that additional extensions can be defined by other groups for other purposes but those extensions would not have a role in standard path validation. • Authority information access • CRL distribution points • Extended key usage • Freshest CRL • Issuer alternative name • Private key usage period • Subject directory attributes • Subject information access There is also a standard set of extensions that appear in CRLs rather than certificates. These are not listed here but can be found in [X.509] and [PKIX]. © Copyright 2004 Entrust. All rights reserved. Page 5

X.509 certification path validation Path validation 3. PATH VALIDATION Within this paper, path validation is defined as the set of processes undertaken by the relying party to verify the integrity, trustworthiness and appropriateness of all certificates in a certification path, including the certificate issued to the subscriber. [X.509] describes all of these processes as necessary for the relying party, however only a subset are included in the “path processing procedures” portion of the standard. This paper combines the complete set of processes under the umbrella of “path validation” to provide a complete view of the processing necessary before a relying party trusts a subscriber certificate. Path validation includes a set of process inputs, the processes themselves, and a set of process outputs. The processes themselves include checks to ensure that the certification path is a properly built path according to the [X.509] requirements, basic certificate checks that are performed against each certificate in the path, and a set of business controls checks to ensure that relying on the subscriber’s certificate would adhere to the constraints put upon certificates in the path by the local PA as well as by all authorities that issued certificates included in the path. INPUTS Trust Anchor Public Key Certification Path Revocation Information Process Constraints PROCESSES Path Structure Processes Certificate Validity Business Controls OUTPUT Success Indication & process details OR Failure Indication & Reason Figure 3: Path Validation Outline 3.1 PATH VALIDATION INPUTS In addition to the certification path itself, the path validation process requires the relying party’s trust anchor public key, revocation status information for each certificate in the path, and any process constraints relevant to the particular instance of path validation to tailor it to the policy environment in which the transaction is being executed (see Section 3.1.4). 3.1.1 Trust Anchor A trust anchor is a CA that is trusted by the relying party and its public key is the basis upon which other trust decisions are made. There are a number of out-of-band schemes that can be used to convey trust anchor public keys to relying parties. These schemes need to ensure that relying parties are securely provided with the appropriate trust anchor public keys and that relying parties do not make use of CA public keys that may be conveyed through unapproved mechanisms. For example some PAs may restrict their relying party community to using a single trust anchor, the local CA, for all instances of path validation. In other environments, the PA may approve use of some/all trust anchors whose root keys are © Copyright 2004 Entrust. All rights reserved. Page 6

The Federal Bridge: A Foundation of Trust - Entrust
A General, Flexible Approach to Certificate Revocation - Entrust
Using Entrust certificates with VPN
X.509 Certificates
Certificate Policies and Certification Practice Statements v.1.0 - Entrust
Entrust Certificate Management Service (CMS)
A Model of Trust Evaluation for X.509 Certificate
Using Entrust certificates with Adobe CDS
Entrust Certificate Services Certificate Management Service 9.7 ...
Personal Secure Email Certificate - Entrust
Getting an end-user Entrust certificate using Entrust Entelligence ...
Trust Management in the Public-Key Infrastructure - Entrust
Entrust Certificate Services Authenticode Signing User Guide
X.509 Certificate and CRL Extensions Profile for PIV-I Cards free trusted certificates by combining the x.509
Certification Path Processing in the Tumbleweed Validation ...
How Trust Had a Hole Blown In It The Case of X.509 Name ...
Request for comments - Authority Public-key Distribution ... - Entrust
Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
Functional Requirements for Path Validation Systems
The Road to Compliance: Signing Your SOX Certification ... - Entrust
Entrust Adobe CDS Individual Certificate Enrollment ... - Entrust, Inc.
Compliance of X.509 Certification Standard in the ... - IBIMA Publishing
Internet X.509 Public Key Infrastructure (PKI) Proxy ... -
X.509 Proxy Certificates for Dynamic Delegation - ...
The Initium X.509 Certificate Wizard - The Journal of Object ...
TrustGate5 (PSK and X.509 Certificates) - Innominate Security ...
Understanding X.509 Attribute Certificates - Pascal Jakobi
EV Multi-domain Certificate Enrollment Guide - Entrust