[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DPV server certificate validation

To: ietf-pkix@xxxxxxx
Subject: DPV server certificate validation
From: "Piyush Jain" <piyush.jain@xxxxxxxxxxxxxx>
Date: Fri, 10 Jun 2005 18:55:17 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcVsqua1B3x0+HBiRkCmhRYGyYZVpwAOhoJwAAT9mtA=
Thread-topic: DPV server certificate validation

Dear list,

Section 4.13.2 of scvp draft 18 sets some guidelines on how a DPV client
must validate the server's certificate.
However, it's my opinion that this section requires more clarification.

Quoted from scvp draft 18
"It is a matter of local policy what validation policy the client uses
when validating responses.  When validating protected SCVP responses,
SCVP clients SHOULD use the validation algorithm defined in section 6 of
[PKIX-1]".

Here are the issues with the above quote
- DPV clients (by definition) cannot perform path validation locally. So
they cannot validate the DPV server certificate as specified in section
6 of RFC 3280. 
- Even if the clients can perform path validation on server certificate,
it's insecure to deploy a trust model where an entity low in the PKI
hierarchy is given the authority to answer for the trust anchor (unless
that authority is granted explicitly by the trust anchor).
A rogue CA (not yet revoked) low in the hierarchy can issue a DPV server
certificate in accordance with section 4.13.2 pf scvp draft 18 and
compromise the whole PKI.

The solution could be limiting the path length of the server
certificates and including special extension in the certificate
indicating that the TA has granted the authority to the server and no
further check is required on the certificate.

Thoughts?

Piyush

"Tumbleweed E-mail Firewall <tumbleweed.com>" made the following
 annotations on 06/10/05 19:05:15
------------------------------------------------------------------------------
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed.  If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
==============================================================================

Prev by Date: I-D ACTION:draft-ietf-pkix-crlaia-02.txt
Next by Date: RE: Comments on / suggested changes for RFC3280bis
Previous by thread: I-D ACTION:draft-ietf-pkix-crlaia-02.txt
Next by thread: Get Office and more softweere-low acclamation
Index(es):
- Date
- Thread