[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD & DPV Basics

To: Steve Hanna <steve.hanna@xxxxxxx>
Subject: Re: DPD & DPV Basics
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 11 Jan 2001 18:17:51 -0500
Cc: PKIX List <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

Steve,

It seems that at least some members of the working group have not yet
agreed upon certain basic concepts. Perhaps it would be useful for me to
articulate these concepts so that they can be discussed separately from
the detailed requirements supplied by Steve. Discussion of those
detailed requirements can proceed simultaneously, but it would be good
if we could reach agreement on these basic concepts or at least
understand why we don't agree on them. I suspect that we already have
rough consensus on these concepts, but it would be good to get any
debate on them out into the open so that we can understand the technical
foundations from which that debate arises.

Here's my take on the basic concepts of DPD and DPV:

The basic job of a DPV server is to validate a certification path. In
its most basic form, it will perform the following steps:

1) Receive a request containing a certification path and other inputs
   to the validation algorithm (trust anchors, required certificate
   policies, etc.)
2) Validate the supplied certification path using the supplied inputs
3) Send a response containing the results of the validation (at least,
   an indication of success or failure)

Many refinements to this are possible: the client supplying only a
subset of the necessary inputs (by referring to an established policy),
the server returning supporting evidence such as CRLs and OCSP
responses, the client supplying CRLs or OCSP responses that may be
useful to the server, etc. But I think it may be useful to reach
agreement on the basic model described above before discussing these
refinements (however worthy).

I think the "refinement" re completeness of input is a basic issue, not just a refinement. Also, the control inputs (non-cert and non-revocation status data) for validation may be explicit or references. I think the strawman motivated the need for both forms of specification, based on client capabilities, and the desire for centralized control of validation in some environments. Also, the need for the DPV server to return data that supports NR seems like an important feature, for some set of apps, though not all.

The basic job of a DPD server is to discover a certification path. In
its most basic form, it will perform the following steps:

1) Receive a request containing a target certificate and inputs to the
   validation algorithm (trust anchors, etc.)
2) Attempt to discover a certification path ending in the target
   certificate that will validate properly given the supplied inputs
3) Send a response containing the results of the discovery process
   (at least an indication of success or failure and, in the success
   case, the discovered certification path)

Most of the refinements listed above with respect to the DPV server can
also be applied to the DPD server. In addition, other refinements might
include having the client supply additional certificates that may be
useful to the server (such as certificates received with an S/MIME email
message).

I look forward to seeing a discussion on this topic. If no discussion
results, I suppose that I will conclude that there is general agreement
about these basic concepts. However, simple affirmative messages
agreeing with these basic concepts would be useful in judging rough
consensus.

I agree with the basic notions here, as qualified above.

Steve

Follow-Ups:
- Re: DPD & DPV Basics
  - From: Steve Hanna

References:
- DPD & DPV Basics
  - From: Steve Hanna

Prev by Date: Re: DPD & DPV Basics
Next by Date: RE: DPD & DPV Basics
Previous by thread: DPD & DPV Basics
Next by thread: Re: DPD & DPV Basics
Index(es):
- Date
- Thread