Views
3 years ago

Understanding Certification Path Construction - oasis pki

Understanding Certification Path Construction - oasis pki

Understanding Certification Path Construction - oasis

UnderstandingCertification Path ConstructionCertification path construction is a complex process and is subject to somedegree of trial and error. The certification path construction process hasnot been standardized, and there is very little published informationavailable to help implementers and product evaluators understand thecomplexities involved. The purpose of this white paper is to clarify issuesassociated with the certification path construction process and to makerecommendations where appropriate.IntroductionPublic Key Infrastructure (PKI) supports a number of security-related services, includingdata confidentiality, data integrity, and end-entity authentication. Fundamentally, theseservices are based on the proper use of public/private key pairs. The public component ofthis key pair is issued in the form of a public key certificate and, in association with theappropriate algorithm(s), it may be used to verify a digital signature, encrypt data, orboth 1 .Before a certificate can be used, it must be validated. In order to validate such a certificate,a chain of certificates or a certification path between the certificate and an establishedpoint of trust must be established, and every certificate within that path must be checked.This process is referred to as certification path processing 2 .September 2002AcknowledgementsWhite Paper is a deliverablefrom the PKI Forum’s TechnicalGroup (TWG). Several memberorganizations and individualshave contributed by providingcontent, editorial assistance andeditorial reviews.Author:Steve LloydPKI ForumEditors:Andrew NashRuss HousleyJohn LinnMagnus NystromRSA SecurityHelen MullengerBaltimore TechnologiesJeff StapletonKPMG LLPIn general, certification path processing consists of two phases: 1) path construction and2) path validation described as follows:1) Path construction involves "building" one or more candidate certification paths. Notethat we use "candidate" here to indicate that although the certificates may chaintogether properly, the path itself may not be valid for other reasons such as pathlength, name, or certificate policy constraints/restrictions.2) Path validation includes making sure that each certificate in the path is within itsestablished validity period, has not been revoked, has integrity, et cetera; and anyconstraints levied on part or all of the certification path are honored (e.g., path lengthconstraints, name constraints, policy constraints). However, some aspects that mightbe associated with path validation are sometimes taken into consideration during thepath construction process in order to maximize the chances of finding an acceptablecertification path sooner rather than later. We will revisit these concepts later in thispaper.ContentsIntroduction 1Purpose, Scope andAssumptions 2Basic Concepts 2Identifying AppropriateCertificates 6Constructing CertificationPaths 8Evaluating CertificatePaths During the PathConstruction Process 12Summary 141It should be recognized that there are several reasons that separate key pairs should be used fordigital signature and confidentiality, including differing requirements associated with key backup/recovery and long-term handling of keying material, and the ability to use different algorithms foreach (e.g., DSA could be used for the digital signature and RSA could be used for symmetric keyexchange).References 142This is sometimes called "certificate path processing." We use "certification path processing" inorder to maintain consistency with the terminology found in X.509.

"Web Services and the Resurgence of PKI", Warwick Ford ... - oasis pki
X K M S Interoperability Testing?! - oasis pki
Understanding Certification Path Construction - oasis pki
CESG Interop Report - oasis pki
PKI Basics - A technical perspective - oasis pki
PKI Interoperability Framework Whitepaper - oasis pki
PKI Deployment – Business Issues - oasis pki
Deployment Lessons Learned - oasis pki
PKI Certificate Expiry Reporter
The Interoperability between NPKI(National PKI) & GPKI ... - oasis pki
X.509 Certification Path Validation - Entrust
Opening session and status report on work items - oasis pki
Certificate Revocation with VeriSign Managed PKI - White Paper
Certificate Path Discovery by Constructing Virtual ... - Ijiee.org
SAML V2.0 Identity Assurance Profiles, Version 1.0 - OASIS Open ...
JITC Interoperability Certification of Public Key ... - Oasis-pki.org
healing oasis wellness center advanced neurology certification ...
Certification Path Processing in the Tumbleweed Validation ...
Efficient Certification Path Discovery for MANET
Latest Developments in Implementation, Judith ... - Oasis-pki.org
On the Path to Renewable Energy Certificate Derivatives
Clearance Certificate in Construction - wsib
Clearance Certificate in Construction - wsib
Whitepaper: Understanding SSL Certificates - Thawte
Understanding X.509 Attribute Certificates - Pascal Jakobi
Functional Requirements for Path Validation Systems
Visual Studio 2008 Certification Paths - bangkok advanced learning
SecureTrust Extended Validation Certificate ... - SSL By Trustwave
how to obtain a qualifying party certificate - Construction Seminars