[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD & DPV Basics

To: Steve Hanna <steve.hanna@xxxxxxx>
Subject: Re: DPD & DPV Basics
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 11 Jan 2001 18:04:43 -0500
Cc: Frank Balluffi <frankb@xxxxxxxxxxxx>, PKIX List <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <><>

Steve,

Frank Balluffi wrote:
 > 1. Can someone explain the value of a DPD server returning a path that may
 > not be valid? I would argue that path discovery should be an optional
 > internal operation performed by a DPV server. I say this as someone who has
 > implemented support for SCVP draft 4's path building types of check. To me
 > the operation should be implicit.

I agree that there's not much utility in having a DPD server return an
invalid (or unvalidated) path. However, I don't agree that path
discovery should be part of a DPV server's job. Instead, I would argue
that validation should be part of a DPD server's job.

The strawman already calls for a DPD server to perform validation. You're suggesting that a DPV server should not have to perform discovery. That would imply that either: (1) the client passed in a complete path, and matching revocation status data, (2) the client called the DPD server first, then passed on the result to the DPV server (3) or that a DPV server called a DPD server in support of discovery.

What simplifications to the overall architecture arise if we split responsibility this way? Certainly if we expect one server to do both, i.e., to have DPV piggyback on DPD but with slightly different interfaces, this isn't all that helpful. I'm not rejecting this approach, but I want to understand it's benefits in more detail.

My team has also implemented path discovery and validation (although not
yet delegated discovery and validation). Validation is a fairly simple
matter of running the PKIX validation algorithm using certain
parameters. Discovery is *much* more complicated, involving heuristics
for guessing which certificates might lead to the target certificate (or
to the trust anchor, if building forward), partial validation to
discover when a partial path is futile, and loop detection. I would
argue that DPD is substantially harder than DPV and DPV is often
sufficient. So it is definitely worthwhile to define DPV as a separate
operation. Many servers may only want to support that operation.

No argument that discovery is harder, and it subsumes validation. But, what is the basis for arguing that validation, based on supplying complete cert chains and revocation status data, will be the more common case and thus we should optimize for it? Several protocols allow for transmission of certs and CRLs, but some allow transmission only for certs, perhaps because that it static data that is easier to configure into the client.

<snip>

Steve

Follow-Ups:
- Re: DPD & DPV Basics
  - From: Steve Hanna
- RE: DPD & DPV Basics
  - From: Michael Myers

References:
- RE: DPD & DPV Basics
  - From: Frank Balluffi
- Re: DPD & DPV Basics
  - From: Steve Hanna

Prev by Date: RE: DPD & DPV Basics
Next by Date: Re: DPD & DPV Basics
Previous by thread: Re: DPD & DPV Basics
Next by thread: RE: DPD & DPV Basics
Index(es):
- Date
- Thread